Logstash filter for firewall packet drops

Elastic Stack Logstash
1

I am trying to parse logs from an aggregate syslog server to logstash. I have been successful in shipping the logs from the syslog server to logstash. I can see multiple fields from the log that are being setup like (host.id, host.os, message ..etc..) but I want to convert the message into fields.
The syntax of firewall logs is: " 2020-12-08T13:34:33-08:00 fw2.abc.xyz kernel: [9394231.861125] [toLocal-default-D]IN=eth0 OUT= MAC=00:00:00:00:00:21:10:16:20:09:17:41:08:00 SRC=192.168.0.0 DST=192.168.0.0 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=236 PROTO=TCP SPT=40006 DPT=7370 WINDOW=1024 RES=0x00 SYN URGP=0 "
The screen shot is of my logstash input, filter and output.

Screen Shot 2020-12-08 at 2.32.43 PM
Screen Shot 2020-12-08 at 2.32.43 PM1778×1012 119 KB

Can anyone help me create fields of all? Or just the time, firewall name , source IP and Destination IP. Thank you.

2

Your dissect filter does not match your log file format. Try

    dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{host} %{loglevel}: [%{someNumbers}] [%{someString}]%{[@metadata][restOfLine]}" } }
    date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd'T'HH:mm:ssZ" ] }
    kv { source => "[@metadata][restOfLine]" }
3

Thank you for getting back.

Screen Shot 2020-12-08 at 3.43.02 PM
Screen Shot 2020-12-08 at 3.43.02 PM2222×1118 149 KB
I have changed the filter to match the one you suggested and still can't see the fields on kibana.
Screen Shot 2020-12-08 at 3.47.39 PM
Screen Shot 2020-12-08 at 3.47.39 PM612×1370 62.7 KB
Can you recommend anything else? Thanks.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.