Log between {}

Hello, i am having my log between brackets and i am not able to parse that part, can anyone help me??

Regards

my log is [Priority: 2] {TCP} 192.168.16.247:51650 -> 52.184.227.73:443

i was able to parse the priority, but i am not able to parse de TCP part that is between {}

What does your configuration look like?

my entire log is
Mar 23 11:46:27 CLL21DCIDS01-IDS snort[26109]: [137:1:2] (spp_ssl) Invalid CHELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.17.11:52259 -> 104.40.28.30:443

and my config is

filter {
grok{
match => {"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} [%{NOTSPACE:mynumber}] (%{NOTSPACE:otraVariable}) %{DATA:message}Priority: %{INT:priority}] %{IP:sourceIp} : "}
overwrite => [ "message" ]
}
mutate {
copy => { "loglevel" => "loglevel_tmp" }
}
mutate {
split => ["loglevel_tmp", "["]
add_field => { "hostType" => "%{loglevel_tmp[0]}" }
add_field => { "ruleId" => "%{loglevel_tmp[1]}" }
}
mutate{
remove_field => [ "loglevel_tmp","loglevel" ]
}
}

Always post your configuration as preformatted text so it doesn't get mangled.

Keep in mind that braces and brackets have special meaning in regular expressions (and therefore grok expressions) so you need to escape them if you want their literal meaning.

yeap i figured it out it was my bad. thanks fro helping.

One more question, i am using geoIp, but source and destination ip, only one is public. i there any way to check if the ip is public?

i there any way to check if the ip is public?

Use a cidr filter.