Log between {}

Hello, i am having my log between brackets and i am not able to parse that part, can anyone help me??


my log is [Priority: 2] {TCP} ->

i was able to parse the priority, but i am not able to parse de TCP part that is between {}

What does your configuration look like?

my entire log is
Mar 23 11:46:27 CLL21DCIDS01-IDS snort[26109]: [137:1:2] (spp_ssl) Invalid CHELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->

and my config is

filter {
match => {"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} [%{NOTSPACE:mynumber}] (%{NOTSPACE:otraVariable}) %{DATA:message}Priority: %{INT:priority}] %{IP:sourceIp} : "}
overwrite => [ "message" ]
mutate {
copy => { "loglevel" => "loglevel_tmp" }
mutate {
split => ["loglevel_tmp", "["]
add_field => { "hostType" => "%{loglevel_tmp[0]}" }
add_field => { "ruleId" => "%{loglevel_tmp[1]}" }
remove_field => [ "loglevel_tmp","loglevel" ]

Always post your configuration as preformatted text so it doesn't get mangled.

Keep in mind that braces and brackets have special meaning in regular expressions (and therefore grok expressions) so you need to escape them if you want their literal meaning.

yeap i figured it out :slight_smile: it was my bad. thanks fro helping.

One more question, i am using geoIp, but source and destination ip, only one is public. i there any way to check if the ip is public?

i there any way to check if the ip is public?

Use a cidr filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.