Logstash filter for firewall packet drops

I am trying to parse logs from an aggregate syslog server to logstash. I have been successful in shipping the logs from the syslog server to logstash. I can see multiple fields from the log that are being setup like (host.id, host.os, message ..etc..) but I want to convert the message into fields.
The syntax of firewall logs is: " 2020-12-08T13:34:33-08:00 fw2.abc.xyz kernel: [9394231.861125] [toLocal-default-D]IN=eth0 OUT= MAC=00:00:00:00:00:21:10:16:20:09:17:41:08:00 SRC=192.168.0.0 DST=192.168.0.0 LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=236 PROTO=TCP SPT=40006 DPT=7370 WINDOW=1024 RES=0x00 SYN URGP=0 "
The screen shot is of my logstash input, filter and output.


Can anyone help me create fields of all? Or just the time, firewall name , source IP and Destination IP. Thank you.

Your dissect filter does not match your log file format. Try

    dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{host} %{loglevel}: [%{someNumbers}] [%{someString}]%{[@metadata][restOfLine]}" } }
    date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd'T'HH:mm:ssZ" ] }
    kv { source => "[@metadata][restOfLine]" }

Thank you for getting back.

I have changed the filter to match the one you suggested and still can't see the fields on kibana. Can you recommend anything else? Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.