Logstash - tagging snort[#####] not working

kozoke · December 8, 2018, 11:48pm

Hi,

I'm attempting to extract pfsense logs, specifically the snort plugin alert logs.

I've pulled the following filter from this site:
https://gist.githubusercontent.com/mrlesmithjr/0799cdc3710f2ae1e182/raw/cfad5b0740928060b9322fcc5a4406073cc446ce/pfsense_snort_logstash

My filter is this:
if [prog] == /snort$ / {
mutate {
add_tag => [ "snort" ]
}
}

Logstash shows this as the [prog] field - so it is parsing this out (which is snort[pid]:
snort[59585]

Question is - how can I tag this text snort[#####]
so the rest of the filter works?

I'm guessing my filter match is incorrect?

Thanks!

Full unfiltered sample log below.
```<33>Dec 3 18:59:27 snort[38444]: [1:2402000:5016] ET DROP Dshield Preformatted Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP}Preformatted ###.###.###.###: -> ###.###.###.###:

kozoke · December 12, 2018, 2:25am

I figured it out.

Here is the match pattern:

            if "snort" in [prog] {             
              mutate {
                add_tag => [ "snort" ]
              }
            }

Here is the grok pattern if anyone is interested.

      grok {
        match => [
          "message",  "\[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]%{DATA:preprocessor}%{GREEDYDATA:ids_alert}.\[Classification\:%{DATA:ids_classification}\].*\[Priority\: %{INT:ids_priority}].*{%{WORD:ids_proto}}.*%{IP:src_ip}:%{INT:src_port} \-\>.*%{IP:dst_ip}:%{INT:dst_port}",
          "message", "\[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\].%{GREEDYDATA:message2}"
        ]
      }

system · January 9, 2019, 2:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.