Grok help needed

sdevasy73 · May 6, 2022, 8:02am

i am a newbie to grok pattern, trying to parse the below mentioned cisco firewall syslog.
With the try struggling with what type to use to extract the interested fields, some of them works if i paste it individually, but combined it gives compile error in grox debugger.

need some help , thanks!

sample
------
May 05 2022 20:25:51   %FTD-1-400006: EventPriority: Low, DeviceUUID: cd5405c4-cea2-13eb-94ea-bdzc1md93886, InstanceID: 2, FirstPacketSecond: 2022-05-05T20:25:51Z, ConnectionID: 50568, AccessControlRuleAction: Allow, SrcIP: 178.189.7.12, DstIP: 192.16.1.31, SrcPort: 54022, DstPort: 443, Protocol: tcp, IngressInterface: CAG, EgressInterface: LAN, IngressZone: CAG, EgressZone: LAN, IngressVRF: Global, EgressVRF: Global, ACPolicy: Access Control Policy, AccessControlRuleName: 00000000-0000-0168-0700-c0eae4ec0b4a, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Invalid ID, ConnectionDuration: 0, InitiatorPackets: 8, ResponderPackets: 8, InitiatorBytes: 443, ResponderBytes: 5584, NAPPolicy: Balanced Security and Connectivity, URLReputation: Unknown, URL: https://wawa.us.net

%{SYSLOGTIMESTAMP:timestamp}, AccessControlRuleAction: %{WORD:ac_action}, AccessControlRuleName: %{DATA:ac_rule_name}, SrcIP: %{IP:src_addr}, DstIP: %{IP:dst_addr}, IngressZone: %{HOSTNAME:ingress_zone}, EgressZone: %{HOSTNAME:egress_zone}, ApplicationProtocol: %{WORD:proto}, URL: %{URIPATH:url}

ibra_013 · May 6, 2022, 11:08am

Hi,
for your example and what is showing, a dissect and key-value pairs filter is suitable for you.

sdevasy73 · May 6, 2022, 11:33am

Thanks for your reply Ibra13.

Let me search about how to move around with dissect and key-value pair filter. Feel free to suggest some if you happen to have a link. Thanks!

aaron-nimocks · May 6, 2022, 11:53am

input {
  generator {
    lines => [ "May 05 2022 20:25:51   %FTD-1-400006: EventPriority: Low, DeviceUUID: cd5405c4-cea2-13eb-94ea-bdzc1md93886, InstanceID: 2, FirstPacketSecond: 2022-05-05T20:25:51Z, ConnectionID: 50568, AccessControlRuleAction: Allow, SrcIP: 178.189.7.12, DstIP: 192.16.1.31, SrcPort: 54022, DstPort: 443, Protocol: tcp, IngressInterface: CAG, EgressInterface: LAN, IngressZone: CAG, EgressZone: LAN, IngressVRF: Global, EgressVRF: Global, ACPolicy: Access Control Policy, AccessControlRuleName: 00000000-0000-0168-0700-c0eae4ec0b4a, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Invalid ID, ConnectionDuration: 0, InitiatorPackets: 8, ResponderPackets: 8, InitiatorBytes: 443, ResponderBytes: 5584, NAPPolicy: Balanced Security and Connectivity, URLReputation: Unknown, URL: https://wawa.us.net" ]
    count => 1
  }
}
filter {
  dissect {
    mapping => { "message" => "%{ts} %{+ts} %{+ts} %{+ts} %{changename}: %{msg}" }
  }
  kv {
    source => "msg"
    value_split => ": "
    field_split => ", "
  }
  mutate { 
    strip => [ "changename" ] 
  }  
}
output {
  stdout { codec =>  "json_lines" }
}

sdevasy73 · May 6, 2022, 2:16pm

Loads of thanks aaron-nimocks for your effort to code it, appreciate it throughly.

Somehow giving error while importing it into graylog json extractor which say's 'No definition for key 'ts' found, aborting'

aaron-nimocks · May 6, 2022, 2:23pm

Would need to see your Logstash configuration to assist further.

sdevasy73 · May 6, 2022, 3:53pm

Hi Aaron, i did not do anything with Logstash config while setting up graylog (admist exploring few days ago). I see it can import grok pattern as json format to parse the input of cisco logs (Raw/Plaintext UDP)

system · June 3, 2022, 3:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.