Logstash filter for firewall packet drops

hassan.rana · December 8, 2020, 7:35pm

I am trying to parse logs from an aggregate syslog server to logstash. I have been successful in shipping the logs from the syslog server to logstash. I can see multiple fields from the log that are being setup like (host.id, host.os, message ..etc..) but I want to convert the message into fields.
The syntax of firewall logs is: " 2020-12-08T13:34:33-08:00 fw2.abc.xyz kernel: [9394231.861125] [toLocal-default-D]IN=eth0 OUT= MAC=00:00:00:00:00:21:10:16:20:09:17:41:08:00 SRC=192.168.0.0 DST=192.168.0.0 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=236 PROTO=TCP SPT=40006 DPT=7370 WINDOW=1024 RES=0x00 SYN URGP=0 "
The screen shot is of my logstash input, filter and output.

Can anyone help me create fields of all? Or just the time, firewall name , source IP and Destination IP. Thank you.

Badger · December 8, 2020, 7:54pm

Your dissect filter does not match your log file format. Try

    dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{host} %{loglevel}: [%{someNumbers}] [%{someString}]%{[@metadata][restOfLine]}" } }
    date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd'T'HH:mm:ssZ" ] }
    kv { source => "[@metadata][restOfLine]" }

hassan.rana · December 8, 2020, 8:48pm

Thank you for getting back.

I have changed the filter to match the one you suggested and still can't see the fields on kibana. Can you recommend anything else? Thanks.

system · January 5, 2021, 8:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.