Grok help with cisco firepower 2130

Hello,
I'm new to grok i want to put cisco fire power 2130 logs to elasticsearch
I'm getting 6 types of different log lines so how do i write grok filter
I'd created 6 different grok filter and checked by grok debugger all are working but I'm unable to put the filter in grok
I want to know how to put them with if or some with different statements

Thanks in advance

Can you provide an example log and your current grok filter for review?

These are only two example i'v 6 in total with different log types

Dec 6 04:17:50 firepower2130 SFIMS: Protocol: TCP, SrcIP: X.X.X.X, OriginalClientIP: ::, DstIP: X.X.X.X, SrcPort: 38222, DstPort: 443, TCPFlags: 0x0, IngressZone: Outside_SDC, EgressZone: Inside_SDC, DE: Primary Detection Engine (a403c8ac-f133-11e9-aa8a-f9e616853924), Policy: FP-2130-SDC, ConnectType: Start, AccessControlRuleName: Default_IPS_Only, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 454, ResponderBytes: 78, NAPPolicy: Security Over Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: ANY, URLReputation: Well known, URL: https://test.com

Dec 6 04:17:50 firepower2130 SFIMS: Protocol: UDP, SrcIP: X.X.X.X, OriginalClientIP: ::, DstIP: X.X.X.X, SrcPort: 11492, DstPort: 53, TCPFlags: 0x0, IngressZone: Inside, EgressZone: Outside, DE: Primary Detection Engine (a403c8ac-f133-11e9-aa8a-f9e616853924), Policy: FP-2130-SDC, ConnectType: Start, AccessControlRuleName: Default_IPS_Only, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 89, ResponderBytes: 0, NAPPolicy: Security Over Connectivity, DNSQuery: teredo.ipv6.microsoft.com, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

I would use dissect to parse the first 2 fields, then dissect to parse the rest of the line. See this for an example.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.