Hello, Would like to have information
I am having a little difficulty with my logstash config, I would like to be able to "filter" out IF traffic come and goes from internal network, then output it to a specific index file IF traffic is coming from inside ( it will always be coming from internaly .. ) and going outside, and vice versa, then output to another index file
BUT I dont want em to "overlap"
Heres an example of the config im running ( ill strip out the non important part )
03-syslog.conf
filter {
if [type] == "syslog" {
if "devname" in [message] {
mutate {
add_tag => [ "COUPEFEU", "FORTIGATE" ]
}
}
...........................................
if "FORTIGATE" in [tags] {
grok {
match => [ "message", "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:kv}" ]
remove_field => ["message"]
remove_field => ["syslog_timestamp"]}
syslog_pri { }
kv {
source => "kv"
exclude_keys => [ "type", "subtype" ]
field_split => " "
value_split => "="
}
date {
match => [ "logtimestamp", "ISO8601" ]
locale => "en"
timezone =>"America/Montreal"
remove_field => [ "logtimestamp" ]
}
mutate {
convert => [ "rcvdbyte", "integer" ]
convert => [ "countdlp", "integer" ]
convert => [ "countweb", "integer" ]
convert => [ "countav", "integer" ]
convert => [ "countemail", "integer" ]
convert => [ "countips", "integer" ]
convert => [ "duration", "integer" ]
convert => [ "sentpkt", "integer" ]
convert => [ "rcvdpkt", "integer" ]
convert => [ "sentbyte", "integer" ]
convert => [ "shaperdroprcvdbyte", "integer" ]
convert => [ "shaperdropsentbyte", "integer" ]
convert => [ "filesize", "integer" ]
convert => [ "count", "integer" ]
convert => [ "total", "integer" ]
convert => [ "totalsession", "integer" ]
convert => [ "bandwidth", "integer" ]
#rename => { "type" => "ftg-type" }
}
#Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
if [srcip] and [srcip] !~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|(^169.254.)" {
geoip {
database => "/etc/logstash/GeoLiteCity.dat"
source => "srcip"
target => "SourceGeo"
add_tag => [ "traffic-wan" ]
}
}
#filtrer le traffic RITM du traffic internet pour input dans un second index
if [srcip] and [srcip] =~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|(^169.254.)" {
mutate {
add_tag => [ "src-traffic-ritm" ]
}
}
#Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
if [dstip] and [dstip] !~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|(^169.254.)" {
geoip {
database => "/etc/logstash/GeoLiteCity.dat"
source => "dstip"
target => "DestinationGeo"
add_tag => [ "traffic-wan" ]
}
}
#filtrer le traffic RITM du traffic internet pour input dans un second index
if [dstip] and [dstip] =~ "(^127.0.0.1)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^192.168.)|(^169.254.)" {
mutate {
add_tag => [ "dst-traffic-ritm" ]
}
}
}
output.conf
output {
if "traffic-wan" in [tags] {
elasticsearch {
hosts => ["es-client:9200"]
index => "logstash-fortigate-%{+YYYY.MM.dd}"
}
}
if "dst-traffic-ritm" in [tags] {
elasticsearch {
hosts => ["es-client:9200"]
index => "logstash-fortigate-ritm%{+YYYY.MM.dd}"
}
}
I would like to check if "dst-traffic-ritm" and "src-traffic-ritm" is present in [tags] then output to logstash-fortigate-ritm* if not, output to logstash-fortigate*
Please a little bit of help would be "once again" apreciated, im sure its something awefully stupid .. but i dont get it