How to Logstash gork filter with different infos in syslog message field


#1

Hi All,

I want to parse a firewall syslog stream.
Depends on firewall action the syslog message field contains additional information like the outbound interface or the service-name of well known ports or not.

I have three examples:
|10.15.40.25|443|http-s|p3|Allow-443|
|10.15.40.25|53|dns|53||BLOCKALL|
|10.15.40.25|60000|||BLOCKALL|

Do I need for each type a single gork filter (like below) and how I have to configure the gork filter finaly.
|%{IPV4:Dst-IP}|%{INT:Dst-Port}|%{USERNAME:Dst-Service}|%{WORD:Dst-Inf}|%{WORD:Rule-Name}
|%{IPV4:Dst-IP}|%{INT:Dst-Port}|%{USERNAME:Dst-Service}||%{WORD:Rule-Name}
|%{IPV4:Dst-IP}|%{INT:Dst-Port}|||%{WORD:Rule-Name}

Many thanks in advance.
Jiona


(Magnus Bäck) #2

A single grok filter can list multiple expressions. They will be tried in order. There's an example in the grok filter documentation.


#3

Thats sounds good.
Can you share a link where I can find this information.


#4

In the documentation I found following example to match multiple patterns against a single field.

filter {
grok { match => { "message" => [ "Duration: %{NUMBER:duration}", "Speed: %{NUMBER:speed}" ] } }
}

But I have no idea how to configure my filter based on this example.
I apologize because I'm new with gork and regex.
Jiona


(Magnus Bäck) #5

You already have three grok expressions. Just list them in the grok filter as in the example.


#6

Thanks @magnusbaeck.

After reading some documents and testings, the following easy filter works for me (without _grokparsefailure):

filter {
if [type] == "syslog" {
grok {
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|%{WORD:Dst-Inf}\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|\|\|%{WORD:Rule-Name}"}
}
}
}

Kind regards
Jiona


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.