Loading snort alerts into logstash (GROK PATTERN)

cottoncandyy · October 16, 2019, 4:58pm

hi I am new to the elk stack and im trying to load snort event log into logstash for analysis but i cant seem to figure out the grok pattern. This is a sample data of how the snort alert log looks like, can someone help me out with the script n grok pattern to load this data into logstash

[**] [129:12:1] Consecutive TCP small segments exceeding threshold [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
07/11-14:18:47.086495 192.168.62.5:443 -> 192.168.62.3:59936
TCP TTL:64 TOS:0x0 ID:6180 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x4573C100  Ack: 0x3A0B3D67  Win: 0x5AC  TcpLen: 20

system · November 13, 2019, 4:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.