hi everyone,
i have an hard time filtering logs comming from a pfsense firewall
i tried a lot of filters and groks but nothing's working
it seems that logstash isnt reading filters or something
doesnt any one have an idea how to fix that?
here is my filter file
filter {
if [type] == "syslog" {
#change to pfSense ip address
if [host] =~ /172\.16\.52\.250/ {
mutate {
add_tag => ["PFSense", "Ready"]
}
}
if "Ready" not in [tags] {
mutate {
add_tag => [ "syslog" ]
}
}
}
}
filter {
if [type] == "syslog" {
mutate {
remove_tag => "Ready"
}
}
}
filter {
if "syslog" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
locale => "en"
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}
BTW: the config is not returning any errors, the logs are recieved by Graylog2 but not filtered and parsed
here is an exemple
<14>Nov 17 14:35:53 172.16.52.250 id=firewall time="2016-11-17 14:50:48" fw="cbv-fw02" tz=+0100 startime="2016-11-17 14:48:48" pri=5 confid=01 slotlevel=2 ruleid=45 srcif="Ethernet1" srcifname="production" ipproto=udp dstif="Vlan2" dstifname="INTERCOFW" proto=dns src=10.56.130.9 srcport=49286 srcportname=ephemeral_fw_udp srcname=H_CBV-DC02 dst=192.168.204.1 dstport=53 dstportname=dns_udp dstname=cbv-fw01.production.infra modsrc=10.56.130.9 modsrcport=49286 origdst=192.168.204.1 origdstport=53 sent=52 rcvd=204 duration=0.00 logtype="connection"#015#012#000 info
cheers