Hi,
Im currently stuck surrounding why my testfile is not outputting both types of logs (flow_logs and URL_logs). I've ran these both separately and they work fine
However once i run the following code below. Im only outputting URL logs only
Could anybody please assist?
input {
syslog {
port => 510
type => "flow_logs"
}
syslog {
port => 511
type => "url_logs"
}
}
filter {
if [type] == "flow_logs" {
grok {
match => { "message" => "%{NUMBER:Priority}>%{NUMBER:Version} %{NUMBER:Timestamp} %{WORD:Host} %{WORD:LogType} %{WORD:Action} src=%{IPV4:SourceIP} dst=%{IPV4:DestIP} mac=%{MAC:MAC} protocol=%{WORD:Protocol} sport=%{INT:Source_Port} dport=%{INT:Dest_Port}"}
}
prune {
whitelist_names => [ "^Priority$" , "^Version$" , "^Timestamp$" , "^Host$" , "^LogType$" , "^Action$" , "^SourceIP$" , "^DestIP$" , "^MAC$" , "^Protocol$" , "^Source_Port$" , "^Dest_Port$" ]
}
}
if [type] == "url_logs" {
grok {
match => { "message" => "<%{NUMBER:Priority}>%{NUMBER:Version} %{NUMBER:Timestamp} %{WORD:Host} %{WORD:LogType} src=%{IPV4:SourceIP}:%{IPORHOST:SourcePort} dst=%{IPV4:DestIP}:%{IPORHOST:DestPort} mac=%{MAC:MAC} (agent='%{DATA:User_Agent}' )?request: %{DATA:Request} %{GREEDYDATA:URL}..."}
}
prune {
whitelist_names => [ "^Priority$" , "^Version$" , "^Timestamp$" , "^Host$" , "^LogType$" , "^SourceIP$" , "^SourcePort$" , "^DestIP$" , "^DestPort$" , "^MAC$" , "^User_Agent$" , "^Request$" , "^URL$" ]
}
}
}
output {
microsoft-sentinel-logstash-output-plugin {
create_sample_file => true
sample_file_path => "/tmp/logstash/"
}
}