Logstash Snort Log Parse Error

kolten · September 20, 2018, 2:04pm

hi,

i want to parse my snort log file with grok but pattern couldnt parse it.

Here is my log file example;

{ "timestamp" : "09/20-07:12:23.851184", "msg" : "Nmap XMAS Tree Scan", "priority" : 0, "proto" : "TCP", "src_addr" : "192.168.2.242", "src_port" : 50004, "dst_addr" : "192.168.2.250", "dst_port" : 22 }

I tried everything but didnt!

I want to parse message and add fields like msg, src_addr, src_port etc.

I edited log file:

TCP 192.168.2.242 50004 192.168.2.250 22

and wrote filter:

filter {
if [type] == "snort" {
grok {
match => { "message" => "%{IP:src_ip} %{NUMBER:src_port} %{IP:dst_ip} % {NUMBER:dst_port}"}
}
mutate {
convert => { "src_port" => "integer" }
convert => { "dst_port" => "integer" }
add_field => {
"src_ip" => "%{src_ip}"
"src_port" => "%{src_port}"
"dst_ip" => "%{dst_ip}"
"dst_port" => "%{dst_port}"
}
}
}
}

it didnt work.

Anybody can help me for write filter ?

Christian_Dahlqvist · September 20, 2018, 2:27pm

That looks like JSON. Have you tried using a json filter?

kolten · September 28, 2018, 11:15am

We used json parser but it didnt work because of our logstash source was wrong. After fix it we solved this issue. Thanks.

system · October 26, 2018, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Filter For my Log file Logstash	15	463	April 1, 2019
Timestamp parsing issue Logstash	2	324	July 6, 2017
Help with grok pattern Logstash	2	231	June 4, 2021
Failed to filter using following grok pattern Logstash	3	249	August 9, 2022
Can anyone please help me how can i parse this firewall log? Logstash	10	449	July 24, 2019

Logstash Snort Log Parse Error

Related Topics