Hi All
I have a new ELK installation and all is going well, have a couple of windows servers and firewall sending logs. Once I had told the installation to use more RAM all is running really good.
Trying to send logs from our Cisco CX web filtering but believe I need to create a new grok pattern as currently getting grokparsefailure
the log file that is being produced is below
<142>1 2016-05-16T13:54:30.578Z asacx-2 CiscoNGFW 20135 6 [ngfwEvent@9 Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="196" Event_Type="0" Flow_DstIp="92.123.140.146" Flow_SrcIp="192.168.120.40" Count="1" Url_Category_Name="Software Updates" Flow_Bytes="196" Web_Reputation_Threat_Type="" Avc_Tag_Name="" Ev_SrcLabel="ASA CX" Event_Type_Name="HTTP Deny" Auth_Realm_Name="Adrian Flux Realm" User_Realm="Adrian Flux Realm\Eilidh Alexander" Policy_Name="Deny Internet Access" Flow_Transaction_Id="0" Url="http://armdl.adobe.com/pub/adobe/reader/win/11.x/11.0.16/misc/AdbeRdrUpd11016.msp" Identity_Source_Name="AD Agent" Auth_Policy_Name="Default" Flow_SrcIfc="inside" Flow_ConnId="245191611" Identity_Type_Name="Passive" Flow_DstHostName="armdl.adobe.com" Flow_Transaction_Count="1" Ev_Id="80756764" AAA_User="Eilidh Alexander" Web_Reputation_Score="4.1" Event_Type_Action="Deny" Ev_GenTime="1463406782823" Flow_DstPort="80" Flow_DstIfc="outside" Ev_SrcId="24" Avc_App_Name="HyperText Transfer Protocol" Ev_SrcHwType="ASA-CX" Flow_SrcPort="51463" Smx_Config_Version="544" Flow_Requests_Denied="1" Avc_App_Type="Infrastructure" Connection_Dst_Service="" Flow_Protocol="tcp" Ev_Producer_Name="HTTP Inspector"]
I would like to grok this so we can have all the headings as fields in kibana, eg user_realm, Flow_dstport
Believe I need to do something with the filter grok {
match => ["message", ..................]
}
Thanks in advance
Mark