Grok help needed

Elastic Stack Logstash
1

i am a newbie to grok pattern, trying to parse the below mentioned cisco firewall syslog.
With the try struggling with what type to use to extract the interested fields, some of them works if i paste it individually, but combined it gives compile error in grox debugger.

need some help , thanks!

sample
------
May 05 2022 20:25:51   %FTD-1-400006: EventPriority: Low, DeviceUUID: cd5405c4-cea2-13eb-94ea-bdzc1md93886, InstanceID: 2, FirstPacketSecond: 2022-05-05T20:25:51Z, ConnectionID: 50568, AccessControlRuleAction: Allow, SrcIP: 178.189.7.12, DstIP: 192.16.1.31, SrcPort: 54022, DstPort: 443, Protocol: tcp, IngressInterface: CAG, EgressInterface: LAN, IngressZone: CAG, EgressZone: LAN, IngressVRF: Global, EgressVRF: Global, ACPolicy: Access Control Policy, AccessControlRuleName: 00000000-0000-0168-0700-c0eae4ec0b4a, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Invalid ID, ConnectionDuration: 0, InitiatorPackets: 8, ResponderPackets: 8, InitiatorBytes: 443, ResponderBytes: 5584, NAPPolicy: Balanced Security and Connectivity, URLReputation: Unknown, URL: https://wawa.us.net

%{SYSLOGTIMESTAMP:timestamp}, AccessControlRuleAction: %{WORD:ac_action}, AccessControlRuleName: %{DATA:ac_rule_name}, SrcIP: %{IP:src_addr}, DstIP: %{IP:dst_addr}, IngressZone: %{HOSTNAME:ingress_zone}, EgressZone: %{HOSTNAME:egress_zone}, ApplicationProtocol: %{WORD:proto}, URL: %{URIPATH:url}
2

Hi,
for your example and what is showing, a dissect and key-value pairs filter is suitable for you.

3

Thanks for your reply Ibra13.

Let me search about how to move around with dissect and key-value pair filter. Feel free to suggest some if you happen to have a link. Thanks!

4 
input {
  generator {
    lines => [ "May 05 2022 20:25:51   %FTD-1-400006: EventPriority: Low, DeviceUUID: cd5405c4-cea2-13eb-94ea-bdzc1md93886, InstanceID: 2, FirstPacketSecond: 2022-05-05T20:25:51Z, ConnectionID: 50568, AccessControlRuleAction: Allow, SrcIP: 178.189.7.12, DstIP: 192.16.1.31, SrcPort: 54022, DstPort: 443, Protocol: tcp, IngressInterface: CAG, EgressInterface: LAN, IngressZone: CAG, EgressZone: LAN, IngressVRF: Global, EgressVRF: Global, ACPolicy: Access Control Policy, AccessControlRuleName: 00000000-0000-0168-0700-c0eae4ec0b4a, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Invalid ID, ConnectionDuration: 0, InitiatorPackets: 8, ResponderPackets: 8, InitiatorBytes: 443, ResponderBytes: 5584, NAPPolicy: Balanced Security and Connectivity, URLReputation: Unknown, URL: https://wawa.us.net" ]
    count => 1
  }
}
filter {
  dissect {
    mapping => { "message" => "%{ts} %{+ts} %{+ts} %{+ts} %{changename}: %{msg}" }
  }
  kv {
    source => "msg"
    value_split => ": "
    field_split => ", "
  }
  mutate { 
    strip => [ "changename" ] 
  }  
}
output {
  stdout { codec =>  "json_lines" }
}
5

Loads of thanks aaron-nimocks for your effort to code it, appreciate it throughly.

Somehow giving error while importing it into graylog json extractor which say's 'No definition for key 'ts' found, aborting'

6

Would need to see your Logstash configuration to assist further.

7

Hi Aaron, i did not do anything with Logstash config while setting up graylog (admist exploring few days ago). I see it can import grok pattern as json format to parse the input of cisco logs (Raw/Plaintext UDP)

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.