GROK filter is not parsing the windows firewall logs for ICMP traffic

Prabhu_Chinnasamy · April 15, 2020, 12:06am

All,

I am sending the windows firewall logs to logstash and created a GROK filter to parse the log.
my GROK filter is:

"%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source_IP} %{IP:Destination_IP} %{INT:SrcPort} %{INT:DstPort} %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}

Its parsing the logs perfectly for TCP and UDP protocols but for the ICMP traffic its not doing that.
in Kibana all I see for ICMP connections is:

Please help.

Fabio-sama · April 15, 2020, 8:48am

Hi there,

do those documents have _grokparsefailure in their tags field? Can you share here a sample of ICMP event you're trying to parse?

Prabhu_Chinnasamy · April 15, 2020, 3:11pm

HI Fabio,

no errors but the fileds are blank in kibana for ICMP traffic.

I amusing the below GROK filters:
%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source IP} %{IP:Destination IP} %{INT:SrcPort} %{INT:DstPort} %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}

And,
I see all the fields in kibana for TCP /UDP traffic:
Sample TCP log:
2020-04-14 14:51:12 ALLOW TCP 127.0.0.1 127.0.0.1 61010 49671 0 - 0 0 0 - - - RECEIVE

BUt for ICMP traffic, the fields in kibana are empty:
Sample ICMP traffic:
2020-04-14 15:46:03 ALLOW ICMP 10.34.1.176 10.100.24.146 - - 0 - - - - 8 0 - RECEIVE

When i try in GROK debugger, looks like the pattern is not matching for the fields in ICMP srcport /destport " - - 0 - - - - " as ICMP traffic will not be having source or destination port in log.

Need help to build GROK filter which can correctly parse teh TCP/UDP and ICMP as well so that I can see all the fields in kibana.

Badger · April 15, 2020, 3:34pm

- does not match INT. You can use alternation to match it...

(%{INT:SrcPort}|-)

Prabhu_Chinnasamy · April 15, 2020, 3:58pm

Hi Badger,

I have changed my GROK filter as below:
"%{TIMESTAMP_ISO8601:TimeStamp} %{WORD:Action} %{WORD:Protocol} %{IP:Source_IP} %{IP:Destination_IP} (%{INT:SrcPort}|-) (%{INT:DStPort}|-) %{INT:Size} %{GREEDYDATA:Flags} %{GREEDYDATA:Direction}"

Now, the ICMP traffic is logging correctly but the TCP/UDP traffic is missing the 'destport'.

Fabio-sama · April 16, 2020, 1:53pm

You sure those events do have a destination port? Can you expand one of them? Cause it seems to work properly with the TCP event you posted above:

Prabhu_Chinnasamy · April 20, 2020, 7:05pm

Correct: The ICMP traffic doesn't have dest port, thats why this field is empty. Thanks.

system · May 18, 2020, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.