Logstash Snort Log Parse Error

kolten · September 20, 2018, 2:04pm

hi,

i want to parse my snort log file with grok but pattern couldnt parse it.

Here is my log file example;

{ "timestamp" : "09/20-07:12:23.851184", "msg" : "Nmap XMAS Tree Scan", "priority" : 0, "proto" : "TCP", "src_addr" : "192.168.2.242", "src_port" : 50004, "dst_addr" : "192.168.2.250", "dst_port" : 22 }

I tried everything but didnt!

I want to parse message and add fields like msg, src_addr, src_port etc.

I edited log file:

TCP 192.168.2.242 50004 192.168.2.250 22

and wrote filter:

filter {
if [type] == "snort" {
grok {
match => { "message" => "%{IP:src_ip} %{NUMBER:src_port} %{IP:dst_ip} % {NUMBER:dst_port}"}
}
mutate {
convert => { "src_port" => "integer" }
convert => { "dst_port" => "integer" }
add_field => {
"src_ip" => "%{src_ip}"
"src_port" => "%{src_port}"
"dst_ip" => "%{dst_ip}"
"dst_port" => "%{dst_port}"
}
}
}
}

it didnt work.

Anybody can help me for write filter ?

Christian_Dahlqvist · September 20, 2018, 2:27pm

That looks like JSON. Have you tried using a json filter?

kolten · September 28, 2018, 11:15am

We used json parser but it didnt work because of our logstash source was wrong. After fix it we solved this issue. Thanks.

system · October 26, 2018, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't parse the log Logstash	12	2227	May 10, 2017
How to parse this format of log Logstash	6	320	August 5, 2019
Grok Filter For my Log file Logstash	15	464	April 1, 2019
GROK: help with pattern Logstash	4	257	June 17, 2021
Grok parsing, still not solved Logstash	15	575	March 13, 2019

Logstash Snort Log Parse Error

Related topics