LogStash, GROK and a Versa Appliance Log -

Zorkmid · June 19, 2019, 10:33pm

Hello All,
I have the need to ingesting event logs from VersaNetworks appliances. In building the LogStash filters I've run into bit of a conundrum.

I have so far the following built and have been checking it with the GrokDebugger site.

%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:logsrc}, applianceName=(?(.?)), tenantName=(?(.?)), observationTimeMilliseconds=(?(+?\d+)), flowId=(?(+?\d+)), flowCookie=(?(+?\d+)), sourceIPv4Address=(?%{IP}), destinationIPv4Address=(?%{IP}), postNATSourceIPv4Address=(?%{IP}),

However when I add the next bit for the source port no matches are found
sourcePort=(?(+?\d+)),

Log Sample:
2017-11-26T22:36:31+0000 cgnatLog, applianceName=Site1Branch1, tenantName=Customer1, observationTimeMilliseconds=2337165310, flowId=33655871, flowCookie=1511734794, sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, postNATSourceIPv4Address=70.70.5.2, postNATDestinationIPv4Address=8.8.8.8, sourcePort=37190, destinationPort=53, postNAPTsourceTransportPort=45643, postNAPTdestinationTransportPort=53, tenantId=1, vsnId=0, applianceId=0, protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-create

I think I'm on the right path but something is just not making sense to me.
Any feed back is welcomed.

Regards
TimW

Badger · June 19, 2019, 10:43pm

I think a better approach would be

dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{someField}, %{[restOfLine]}" } }
kv { source => restOfLine field_split => ", " remove_field => [ "restOfLine" ] }
date { match => [ "[@metadata][timestamp]", ISO8601 ] }

Zorkmid · June 20, 2019, 5:03pm

Many thanks and I will attempted to snip and cut my way through the dissection -
Cheers
TimW

system · July 18, 2019, 5:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.