Hello,
I'm new to grok i want to put cisco fire power 2130 logs to elasticsearch
I'm getting 6 types of different log lines so how do i write grok filter
I'd created 6 different grok filter and checked by grok debugger all are working but I'm unable to put the filter in grok
I want to know how to put them with if or some with different statements
Thanks in advance
Can you provide an example log and your current grok filter for review?
These are only two example i'v 6 in total with different log types
Dec 6 04:17:50 firepower2130 SFIMS: Protocol: TCP, SrcIP: X.X.X.X, OriginalClientIP: ::, DstIP: X.X.X.X, SrcPort: 38222, DstPort: 443, TCPFlags: 0x0, IngressZone: Outside_SDC, EgressZone: Inside_SDC, DE: Primary Detection Engine (a403c8ac-f133-11e9-aa8a-f9e616853924), Policy: FP-2130-SDC, ConnectType: Start, AccessControlRuleName: Default_IPS_Only, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 454, ResponderBytes: 78, NAPPolicy: Security Over Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: ANY, URLReputation: Well known, URL: https://test.com
Dec 6 04:17:50 firepower2130 SFIMS: Protocol: UDP, SrcIP: X.X.X.X, OriginalClientIP: ::, DstIP: X.X.X.X, SrcPort: 11492, DstPort: 53, TCPFlags: 0x0, IngressZone: Inside, EgressZone: Outside, DE: Primary Detection Engine (a403c8ac-f133-11e9-aa8a-f9e616853924), Policy: FP-2130-SDC, ConnectType: Start, AccessControlRuleName: Default_IPS_Only, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 89, ResponderBytes: 0, NAPPolicy: Security Over Connectivity, DNSQuery: teredo.ipv6.microsoft.com, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
I would use dissect to parse the first 2 fields, then dissect to parse the rest of the line. See this for an example.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.