fooc
January 29, 2019, 12:46pm
1
Hi,
I'm using the following conf file to process my syslog messages from a sophos utm:
input {
type => "utm-syslog"
port => 5140
}
filter {
if [type] == "utm-syslog" {
grok {
if [type] == "httpproxy" {
}
} # end of filter
output {
if [type] == "utm-syslog" {
elasticsearch {
}
stdout { codec => rubydebug }
}
In normal firewall messages the geoip works well, but in messages from the waf (web application firewall) i get the grokparse failure messages:
In the message a srcip is present, i can't understand why I'm getting the errors.
Badger
January 29, 2019, 1:34pm
2
You grok pattern expects syslog_program to be followed by syslog_pid in square brackets. Your message does not have that so it does not match.
Please do not post screenshots of text, just post the text.
fooc
January 30, 2019, 3:23pm
3
Badger:
square brackets
Can I just remove the square brackets?
Badger
January 30, 2019, 3:31pm
4
Removing the square brackets is an option, but I assume they were added to the pattern because you have some lines that contain them. In that case you can match against multiple patterns using
grok { match { "message" => [ "firstPattern", "secondPattern" ] } }
Where one pattern has the brackets and one does not.
BTW you should anchor your grok patterns whenever possible.
match => { "message" => "<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}[%{NUMBER:syslog_pid}]: %{GREEDYDATA:syslog_message}" }
is a lot slower than
match => { "message" => "^<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}[%{NUMBER:syslog_pid}]: %{GREEDYDATA:syslog_message}" }
fooc
January 30, 2019, 3:36pm
5
Thanx for your quick reply, i copied the conf from internet and the basics were working for me, just not the waf messages.
system
February 27, 2019, 3:36pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
