Hi,
I want to parse CheckPoint Firewall syslog logs but logstash gives me an error.
Here is my error:
2019-05-09T15:12:18,565][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 65, column 13 (byte 1217) after filter {\nif [type] == "checkpoint" {\n grok {\n match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }\n\n dissect ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in
compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:inblock in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:incompile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:inblock in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:94:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:148:insynchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:94:inexclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:327:inblock in converge_state'"]}
Here is my CheckPoint syslog logs:
<134>1 2019-05-09T11:26:48Z BEAMMNG01 CheckPoint 13262 - [action:"Accept"; conn_direction:"Internal"; contextnum:"1"; flags:"5166080"; ifdir:"outbound"; ifname:"bond10"; logid:"0"; loguid:"{0x5cd40e78,0x7,0xfcfa960a,0xc0000000}"; origin:"10.10.10.1"; originsicname:"CN=BEAMINT01,O=BEAMMNG01.beamteknoloji.bttm.intra.u63xxm"; sequencenum:"673"; time:"1557401208"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A5CF48CE-4570-DE4E-9CC9-9E9976CCEBF1};mgmt=BEAMMNG01;date=1557400279;policy_name=BEAMINT_Policy\]"; context_num:"1"; dst:"10.4.10.5"; hll_key:"15843445315603852578"; layer_name:"BEAMINT_Policy Security"; layer_name:"BEAMINT_Policy Application"; layer_uuid:"83d966c6-387a-4d21-adf5-dd5fcbb51b30"; layer_uuid:"852d9f52-2cca-4b2e-b58c-4c91293de578"; match_id:"144"; match_id:"16777264"; parent_rule:"0"; parent_rule:"0"; rule_action:"Accept"; rule_action:"Accept"; rule_name:"Win Network Services Haberleme"; rule_uid:"d5a72212-6834-4b1e-ba9a-8519be0ea4bd"; rule_uid:"ca9c011a-6a39-4127-9ef2-a59a26a3004b"; product:"VPN-1 & FireWall-1"; proto:"17"; protocol:"DNS-UDP"; s_port:"56448"; service:"53"; service_id:"domain-udp"; sig_id:"2"; src:"10.60.10.5"; src_machine_name:"bttmdn9149@beamteknoloji.bttm.intra"; src_user_dn:"CN=Kadir Yapar,OU=Standard Users,OU=Users,OU=beamteknoloji,DC=beamteknoloji,DC=bttm,DC=intra "; src_user_name:"Kadir YAPAR [beamteknoloji\] (kyapar) "; user:"Kadir YAPAR [beamteknoloji\] (kyapar) "; ]
My filter:
filter {
kv {
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
dissect { mapping => { "message" => "<%{level}>%{} %{ts} %{HostName} %{Device} %{DeviceID} - [%{kvString}" } }
date { match => [ "ts", "ISO8601" ] }
kv { source => "kvString" field_split => ";" value_split => ":" trim_key => " " }
}
mutate {
gsub => ["timestamp"," "," "]
}
date {
match => [ "timestamp", "ddMMMYYYY HH:mm:ss" ]
}
}
how can i solve this issue?
My logstash version = 6.6.1
CheckPoint Version = R8020