Hi, I faced a brick wall and I seem to not be able to overcome it.
My scenario
- FW logs coming to a server where they are caught by Syslog-ng
- Syslog-ng passes the logs to Logstash on the same server
- Currently, as a test Logstash writes the logs to a file.
My problem
I can see my FW logs arriving in the following format (pasted just a single entry)
sudo tcpdump port 514 -v
Msg: May 18 09:11:27 somehost 1/bla/blabla/box_Firewall_Activity: +02:00 Security somehost Block: FWD|TCP|bond1.181|45.155.205.120|8080|00:00:00:00:00:00|0.0.0.0|5678|||<no-match>|1234|0.0.0.0|0.0.0.0|0|1|0|0|0|0||||||\0x0a
However, upon their arrival in Logstash (Syslog plugin) these log entries seem to have been truncated to the Time Zone and as a result @timestamp is another syslog field/property. Please check below how the message looks like
+02:00 Security somehost Block: FWD|TCP|bond1.181|45.155.205.120|8080|00:00:00:00:00:00|0.0.0.0|31900|||<no-match>|4003|0.0.0.0|0.0.0.0|0|1|0|0|0|0||||||
Part of my config
input {
syslog {
host => "127.0.0.1"
port => 5000
}
}
filter {
if [message] =~ "Security" or [message] =~ "Info" {
#grok { keep_empty_captures => true match => { "message" => "(?....}
In order to parse the FW events I use grok filter that checks the syslog message field where raw log is (but without the timestamp which is in another syslog field @timestamp).
My filter works as a charm but now I don't have a time stamp. The below is the content of the file where the logs are written
{"SourceIP":"0.0.0.0","ReceivedPackets":"0","Action":"Allow","Info":"0","Rule":"somerule","SentBytes":"0","L4Protocol":"UDP","SourcePort":"59839","LogLevel":"Info","DestinationIP":"10.10.20.20","DestinationPort":"53","tags":["FW_ActivityLog_IPV4","sometag"],"ReceivedBytes":"0"}
My question
How can I add a timestamp to my events?
Thank you in advance for any input.
