Hi,
I've just set up a new ELK-stack for monitoring of Cisco ASA Log-files. We have already one running with kibana 3 and logstash 1.4. Unfortunately, my filter is not working with the new version, since it contains "grep" and I can't find how to integrate this with the new plugin system.
My other issue are the patterns. As far as I remember, I had a patterns-folder in the installation path, but with the new installation there isn't one. How can I import my patterns?
Thanks in advance!
Here's my old filter that I want to adapt to logstash 1.5:
input {
file {
path => ["/var/log/fw/fw.log"]
sincedbpath => "/var/log/logstash"
startposition => "beginning"
type => "syslog"
tags => [ "netsyslog" ]
}
}
filter {
if [type] == "syslog" {
grok {
#strips timestamp and host off of the front of the syslog message leaving the raw message generated by the syslog client and saves it as "rawmessage"
patternsdir => "/opt/logstash/patterns"
match => [ "message", "%{CISCOTIMESTAMP:@timestamp} %{HOST:sysloghost} %{GREEDYDATA:rawmessage}" ]
}
}
classify network syslog logs as ASA or other log
if "netsyslog" in [tags] {
grep {
drop => false
match => [ "rawmessage", "%ASA-" ]
addtag => [ "asalog", "firewall" ]
}
grep {
drop => false
match => [ "rawmessage", "%PIX-" ]
addtag => [ "pixlog", "firewall" ]
}
if "firewall" not in [tags] {
mutate {
addtag => [ "genericlog" ]
}
}
}
if "asalog" in [tags] {
#parse ASA log
grok {
patternsdir => "/opt/logstash/patterns"
breakonmatch => false
match => [ "rawmessage", "%{CISCOFACSEVMNEM} %{WORD:Action} %{WORD:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress}\/%{POSINT:SourcePort} dst %{WORD:DestinationZone}:%{IP:DestinationAddress}\/%{POSINT:DestinationPort} by access-group \"%{NOTSPACE:rule}\"%{GREEDYDATA}",
"rawmessage", "%{CISCOFACSEVMNEM} %{WORD:Action} %{IPPROTOCOL:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress} dst %{WORD:DestinationZone}:%{IP:DestinationAddress} %{DATA:icmptypecode} by access-group \"%{WORD:Rule}\"%{GREEDYDATA}",
"rawmessage", "%{CISCOFACSEVMNEM} %{GREEDYDATA:description}" ]
}
mutate {
removefield => [ "message", "rawmessage" ]
addfield => [ "Application", "unknown" ]
lowercase => [ "Action" ]
}
} else {
#apply actions to logs that don't match any particular type of log
}
if "firewall" in [tags] and [SourceAddress] and [DestinationAddress] {
fingerprint {
concatenate_sources => true
method => "SHA1"
key => "logstash"
source => [ "SourceAddress", "DestinationAddress", "DestinationPort", "IPProtocol" ]
}
}
}
output {
elasticsearch {
protocol => "node"
nodename => "abc"
cluster => "abccluster"
host => "localhost"
}
}