Issues in parsing baracuda firewall

Samvid_Kulkarni · August 13, 2018, 9:24pm

I am trying to parse Baracuda Web Filter and I am having compile error.

Here is the log
2018-08-07 11:00:01||1||5||bwf||192.168.6.141 - - [07/Aug/2018:11:00:00 -0700] "CONNECT store-images.s-microsoft.com:443 HTTP/1.0" 407 15530 TCP_DENIED:HIER_NONE
2018-08-07 11:00:01||1||5||bwf||192.168.6.141 - - [07/Aug/2018:11:00:00 -0700] "CONNECT store-images.s-microsoft.com:443 HTTP/1.0" 407 15530 TCP_DENIED:HIER_NONE
2018-08-07 11:00:01||1||5||bwf||192.168.6.141 - - [07/Aug/2018:11:00:00 -0700] "CONNECT store-images.s-microsoft.com:443 HTTP/1.0" 407 15530 TCP_DENIED:HIER_NONE

and here is the code

input {
  file {
    path => "/Users/samvidkulkarni/report2.txt"
    type => "syslog"
    start_position => beginning
    ignore_older => 0

  }
  }
filter {
    # Split the syslog part and Cisco tag out of the message
    grok {
      match => ["message", "%{TIMESTAMP_ISO8601:timestamp}\|\|%{NUMBER:syslog_cat}\|\|%{NUMBER:syslog_severity}\|\|%{WORD:firewall}\|\|%{IP:src} -- [%{TIMESTAMP_ISO8601:timestamp2}] "%{WORD:action} %{URL:uri}:%{NUMBER:port} HTTP/1.0" %{NUMBER:status} %{NUMBER:port} %{WORD:action}:%{WORD:action2}"]
    }

    # Parse the syslog severity and facility
    syslog_pri { }

    # Parse the date from the "timestamp" field to the "@timestamp" field
    date {
      match => ["timestamp", "yyyy-MM-dd HH:mm:ss"
      ]
      timezone => "UTC"
    }

    date{
    match => ["timestamp2", "dd/MMM/YYYY HH:mm:ss Z" ] timezone => "UTC"
    }


    # Clean up redundant fields if parsing was successful
    if "_grokparsefailure" not in [tags] {
      mutate {
        rename => ["cisco_message", "message"]
        remove_field => ["timestamp"]
      }
      }
    
  
}
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

the issue is somewhere in the regex but i am not able to understand whats the issue. i tried on http://grokconstructor.appspot.com/do/match#result but it says compile error and below is the error

Syntax error in the given pattern %{TIMESTAMP_ISO8601:timestamp}\|\|%{NUMBER:syslog_cat}\|\|%{NUMBER:syslog_severity}\|\|%{WORD:firewall}\|\|%{IP:src} -- [%{TIMESTAMP_ISO8601:timestamp2}] "%{WORD:action} %{URIPATH:uri}:%{NUMBER:port} HTTP/1.0" %{NUMBER:status} %{NUMBER:port} %{WORD:action}:%{WORD:action2} : 
empty range in char class

Badger · August 14, 2018, 12:16am

Samvid_Kulkarni:

match => ["message", "%{TIMESTAMP_ISO8601:timestamp}\|\|%{NUMBER:syslog_cat}\|\|%{NUMBER:syslog_severity}\|\|%{WORD:firewall}\|\|%{IP:src} -- [%{TIMESTAMP_ISO8601:timestamp2}] "%{WORD:action} %{URL:uri}:%{NUMBER:port} HTTP/1.0" %{NUMBER:status} %{NUMBER:port} %{WORD:action}:%{WORD:action2}"] }

You need to escape the around the second timestamp, and the double quotes around the HTTP request, and the pattern is called URI, not URL.

Samvid_Kulkarni · August 14, 2018, 4:57pm

thank you very much. issue solved.

system · September 11, 2018, 4:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.