Im having a firewall pushing logs towards a linux destination server with middle contains linux machine having logstash server

sudharsanam132 · August 10, 2023, 6:54am

So firewall pushing logs towards logstash server in logstash i have mentioned in the output plugin to the destination server i need to filter my logs if for example:192.168.1.143 contains the ip in the message i need to push only this log to the destination server i will mention my sample log here and also my conf file please help with this query

this is my sample log receiving from our firewall

2023-08-10T12:21:51+05:30 192.168.1.214 filterlog: 9,,,1000102433,vmx0,match,block,in,4,0x0,,64,60685,0,DF,1,icmp,84,192.168.1.143,192.168.1.214,request,38727,164

And this the conf file in logstash

input {
syslog {
port => "8514"
}
}

filter {
grok {
match => { "message" => %{TIMESTAMP_ISO8601:timestamp} %{IP:source_ip} %{WORD:program}: %{NUMBER:rule_number},%{DATA:sub_rulenumber},%{DATA:anchor},%{NUMBER:tracker},%{DATA:real_interface},%{DATA:reason1},%{DATA:action},%{DATA:direction},%{DATA:ip_version},%{DATA:flags},%{DATA:empty},%{DATA:size},%{NUMBER:id},%{NUMBER:sequence},%{DATA:reason},%{NUMBER:ttl},%{DATA:protocol_name},%{NUMBER:sourceport},%{IP:source},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{NUMBER:connection_id}" }
}

if [source] == "192.168.1.143" {

} else {
drop {}
}
}

}

output {
syslog {
host => "192.168.1.160"
port => "514"
}
}

Rios · August 11, 2023, 8:02am

Welcome to the community!

It's much easier if you use the CSV plugin, even you can skip empty columns if you like.

    grok {
     match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{IP:ip} %{DATA:program}: %{GREEDYDATA:[@metadata][logdata]}" }
    }

	csv{
	source => "[@metadata][logdata]"
	columns => ["rule_number","sub_rulenumber","anchor","tracker","real_interface"]
	#skip_empty_columns => true
	}

sudharsanam132 · August 16, 2023, 9:40am

Thanks for the reply the result had came and is it ok to use kv filter to get my same last result

Rios · August 16, 2023, 2:11pm

KV is more for key=value, you have csv values. Hover every approach which brings data without delay is fine for me.

sudharsanam132 · August 19, 2023, 9:38am

Thanks everything works fine Now im planning to add tls method in my tcp plugin has i already mentioned that im receiving logs from firewall so what will be the conf file format will be like with using both tcp input and output plugin and please clarify me about in which machine i need to create certificate here is my infrastructure again

Source -- firewall push logs
middle -- logstash server (Linux)
Destination -- Linux machine

system · September 16, 2023, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter output in different files according to incomming IP address Logstash	5	458	December 19, 2022
Filtering Issues with Logstash Logstash	4	1374	July 6, 2017
Rsyslog to logstash help Logstash	4	1365	December 17, 2017
Logstash 2.4 -- Check if two [tags] is present then ouput Logstash	21	20453	April 18, 2017
Problem with send log from pfsense 2.2 to ELK Logstash	5	3435	July 6, 2017

Im having a firewall pushing logs towards a linux destination server with middle contains linux machine having logstash server

Related Topics