no errors but the fileds are blank in kibana for ICMP traffic.
I amusing the below GROK filters:
%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source IP} %{IP:Destination IP} %{INT:SrcPort} %{INT:DstPort} %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}
And,
I see all the fields in kibana for TCP /UDP traffic:
Sample TCP log:
2020-04-14 14:51:12 ALLOW TCP 127.0.0.1 127.0.0.1 61010 49671 0 - 0 0 0 - - - RECEIVE
BUt for ICMP traffic, the fields in kibana are empty:
Sample ICMP traffic:
2020-04-14 15:46:03 ALLOW ICMP 10.34.1.176 10.100.24.146 - - 0 - - - - 8 0 - RECEIVE
When i try in GROK debugger, looks like the pattern is not matching for the fields in ICMP srcport /destport " - - 0 - - - - " as ICMP traffic will not be having source or destination port in log.
Need help to build GROK filter which can correctly parse teh TCP/UDP and ICMP as well so that I can see all the fields in kibana.
I have changed my GROK filter as below:
"%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source_IP} %{IP:Destination_IP} (%{INT:SrcPort}|-) (%{INT:DStPort}|-) %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}"
Now, the ICMP traffic is logging correctly but the TCP/UDP traffic is missing the 'destport'.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.