Logstash iptables log parse


(Jerry Hwang) #1

Hi,

ELK run in containers.

I setup iptables send all input/forward/output logs to logstash. example log seen on kibana discover pane.

@version:1 host:3.3.3.3 @timestamp:March 3rd 2018, 12:14:45.220 message:<4>Mar 3 20:14:47 myhost kernel: [2242132.946331] LOG_ALL_TRAF public INPUT IN=public OUT= MAC=00:1e:67:f2:db:28:00:1e:67:f2:d9:7c:08:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=17722 DF PROTO=TCP SPT=3504 DPT=8080 WINDOW=512 RES=0x00 ACK URGP=0 type:rsyslog tags:_jsonparsefailure _id:AWHtgJ_qYRe3mIjckQsb _type:rsyslog _index:logstash-2018.03.03 _score: -

The entire log is categorized as 'message' field on kibana discover view.
But I wish to use SRC, DST, SPT, DPT etc as each individual field and then also use them to visualize.

Any guidance is much appreciated.


(Magnus B├Ąck) #2

So you have a standard syslog message (see example in the Logstash documentation) but on top of that you want to parse the message part to extract additional fields. Have a look at the kv filter.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.