Loading snort alerts into logstash (GROK PATTERN)

cottoncandyy · October 16, 2019, 4:58pm

hi I am new to the elk stack and im trying to load snort event log into logstash for analysis but i cant seem to figure out the grok pattern. This is a sample data of how the snort alert log looks like, can someone help me out with the script n grok pattern to load this data into logstash

[**] [129:12:1] Consecutive TCP small segments exceeding threshold [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
07/11-14:18:47.086495 192.168.62.5:443 -> 192.168.62.3:59936
TCP TTL:64 TOS:0x0 ID:6180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x4573C100  Ack: 0x3A0B3D67  Win: 0x5AC  TcpLen: 20

system · November 13, 2019, 4:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern for snort alerts Logstash	5	1033	July 7, 2022
Parse snort los Logstash	2	835	June 28, 2018
I'm linking ELK to Snort. but there's been an error with the logstash Logstash	5	704	July 23, 2020
Logstash Snort Log Parse Error Logstash	3	538	October 26, 2018
Help with grok pattern Logstash	2	231	June 4, 2021

Loading snort alerts into logstash (GROK PATTERN)

Related topics