Hello, i am having my log between brackets and i am not able to parse that part, can anyone help me??
Regards
my log is [Priority: 2] {TCP} 192.168.16.247:51650 -> 52.184.227.73:443
i was able to parse the priority, but i am not able to parse de TCP part that is between {}
What does your configuration look like?
my entire log is
Mar 23 11:46:27 CLL21DCIDS01-IDS snort[26109]: [137:1:2] (spp_ssl) Invalid CHELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.17.11:52259 -> 104.40.28.30:443
and my config is
filter {
grok{
match => {"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} [%{NOTSPACE:mynumber}] (%{NOTSPACE:otraVariable}) %{DATA:message}Priority: %{INT:priority}] %{IP:sourceIp} : "}
overwrite => [ "message" ]
}
mutate {
copy => { "loglevel" => "loglevel_tmp" }
}
mutate {
split => ["loglevel_tmp", "["]
add_field => { "hostType" => "%{loglevel_tmp[0]}" }
add_field => { "ruleId" => "%{loglevel_tmp[1]}" }
}
mutate{
remove_field => [ "loglevel_tmp","loglevel" ]
}
}
Always post your configuration as preformatted text so it doesn't get mangled.
Keep in mind that braces and brackets have special meaning in regular expressions (and therefore grok expressions) so you need to escape them if you want their literal meaning.
yeap i figured it out 
it was my bad. thanks fro helping.
One more question, i am using geoIp, but source and destination ip, only one is public. i there any way to check if the ip is public?
i there any way to check if the ip is public?
Use a cidr filter.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.