Help for space separate message

Patricio_Campos · December 12, 2019, 2:53pm

Hello,
am new in Elastic, am working with SIEM module. I receive a log from Fortinet Firewall through a Rsyslog Linux and filebeat receive and send to Elasticsearcg, all importants field come in one large field named Message. I would like separate this information for example src_ip, src_port, etc etc

date=2019-12-12 time=11:31:33 devname="Fwr1-Kaufmann" devid="FGT6HD3916801908" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1576161093 srcip=10.1.1.9 srcport=54091 srcintf="LACP_Interna" srcintfrole="undefined" dstip=208.67.222.222 dstport=53 dstintf="port10" dstintfrole="undefined" poluuid="0f497e7c-5f9a-51e8-2401-1473957296a8" sessionid=796002608 proto=17 action="accept" policyid=402 policytype="policy" service="DNS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.216.145.133 transport=54091 duration=60 sentbyte=72 rcvdbyte=88 sentpkt=1 rcvdpkt=1 appcat="unscanned"

ChrsMark · December 13, 2019, 10:01am

Hi!

For this you will need to add a Logstash pipeline to further analyse the messages, by defining your own grok patterns.

Filebeat can analyse messages from services that are supported by Filebeat's modules, but when you need something so custom the best way to go is to add a Logstash node and do the parsing there.

Regards.

system · January 10, 2020, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.