Logstash Snort Log Parse Error

kolten · September 20, 2018, 2:04pm

hi,

i want to parse my snort log file with grok but pattern couldnt parse it.

Here is my log file example;

{ "timestamp" : "09/20-07:12:23.851184", "msg" : "Nmap XMAS Tree Scan", "priority" : 0, "proto" : "TCP", "src_addr" : "192.168.2.242", "src_port" : 50004, "dst_addr" : "192.168.2.250", "dst_port" : 22 }

I tried everything but didnt!

I want to parse message and add fields like msg, src_addr, src_port etc.

I edited log file:

TCP 192.168.2.242 50004 192.168.2.250 22

and wrote filter:

filter {
if [type] == "snort" {
grok {
match => { "message" => "%{IP:src_ip} %{NUMBER:src_port} %{IP:dst_ip} % {NUMBER:dst_port}"}
}
mutate {
convert => { "src_port" => "integer" }
convert => { "dst_port" => "integer" }
add_field => {
"src_ip" => "%{src_ip}"
"src_port" => "%{src_port}"
"dst_ip" => "%{dst_ip}"
"dst_port" => "%{dst_port}"
}
}
}
}

it didnt work.

Anybody can help me for write filter ?

Christian_Dahlqvist · September 20, 2018, 2:27pm

That looks like JSON. Have you tried using a json filter?

kolten · September 28, 2018, 11:15am

We used json parser but it didnt work because of our logstash source was wrong. After fix it we solved this issue. Thanks.

system · October 26, 2018, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.