I am trying to ingest logs from a checkpoint firewall. My logstash config file checks out and works as long as I don't have the filter section in it. However, I need the data filtered so can you guys help me figure out what is wrong with this filter. I pulled this from the Checkpoint website.
input {
tcp {
port => 2812
codec => plain
type => syslog
}
}
filter {
if [type] == "syslog" {
kv {
allow_duplicate_values => false
recursive => false
field_split => "|"
}
mutate {
# Fields beginning with underscore are not supported by ES/Kibana, so rename them.
rename => { "__nsons" => "nsons" }
rename => { "__p_dport" => "p_dport" }
rename => { "__pos" => "pos" }
# Not necessary, just a field name preference.
rename => { "originsicname" => "sicname" }
# Example of removing specific fields
# remove_field => [ "connection_luuid", "loguid" ]
# String substitution
# Strip the O\=.*$ and the ^CN= in the field.
gsub => [
"sicname", "CN\\=", "",
"sicname", ",O\\=.*$",""
]
}
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
cacert => "C:\elastic\logstash-8.3.3-windows-x86_64\logstash-8.3.3\config\certs\http_ca.crt"
user => logstash_internal
password => ********
}
}