GROK filter is not parsing the windows firewall logs for ICMP traffic

Prabhu_Chinnasamy · April 15, 2020, 12:06am

All,

I am sending the windows firewall logs to logstash and created a GROK filter to parse the log.
my GROK filter is:

"%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source_IP} %{IP:Destination_IP} %{INT:SrcPort} %{INT:DstPort} %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}

Its parsing the logs perfectly for TCP and UDP protocols but for the ICMP traffic its not doing that.
in Kibana all I see for ICMP connections is:

Please help.

Fabio-sama · April 15, 2020, 8:48am

Hi there,

do those documents have _grokparsefailure in their tags field? Can you share here a sample of ICMP event you're trying to parse?

Prabhu_Chinnasamy · April 15, 2020, 3:11pm

HI Fabio,

no errors but the fileds are blank in kibana for ICMP traffic.

I amusing the below GROK filters:
%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source IP} %{IP:Destination IP} %{INT:SrcPort} %{INT:DstPort} %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}

And,
I see all the fields in kibana for TCP /UDP traffic:
Sample TCP log:
2020-04-14 14:51:12 ALLOW TCP 127.0.0.1 127.0.0.1 61010 49671 0 - 0 0 0 - - - RECEIVE

BUt for ICMP traffic, the fields in kibana are empty:
Sample ICMP traffic:
2020-04-14 15:46:03 ALLOW ICMP 10.34.1.176 10.100.24.146 - - 0 - - - - 8 0 - RECEIVE

When i try in GROK debugger, looks like the pattern is not matching for the fields in ICMP srcport /destport " - - 0 - - - - " as ICMP traffic will not be having source or destination port in log.

Need help to build GROK filter which can correctly parse teh TCP/UDP and ICMP as well so that I can see all the fields in kibana.

Badger · April 15, 2020, 3:34pm

- does not match INT. You can use alternation to match it...

(%{INT:SrcPort}|-)

Prabhu_Chinnasamy · April 15, 2020, 3:58pm

Hi Badger,

I have changed my GROK filter as below:
"%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source_IP} %{IP:Destination_IP} (%{INT:SrcPort}|-) (%{INT:DStPort}|-) %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}"

Now, the ICMP traffic is logging correctly but the TCP/UDP traffic is missing the 'destport'.

Fabio-sama · April 16, 2020, 1:53pm

You sure those events do have a destination port? Can you expand one of them? Cause it seems to work properly with the TCP event you posted above:

Prabhu_Chinnasamy · April 20, 2020, 7:05pm

Correct: The ICMP traffic doesn't have dest port, thats why this field is empty. Thanks.

system · May 18, 2020, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing Syslog with Logstash Grock Filter isn't working with Kibana Logstash	3	378	August 14, 2021
Filter Sonicwall Logstash Logstash	1	809	July 20, 2020
Logstash filter for firewall packet drops Logstash	3	584	January 5, 2021
Grokparsefailure! wtf? Logstash	8	858	June 14, 2020
Grok parsing in logstash for Windows DNS Debug Log Logstash	12	1688	January 4, 2022

GROK filter is not parsing the windows firewall logs for ICMP traffic

Related Topics