Hi Folks ,
I need your help to resolve the issue below . I'm trying since many days to parse some audit logs .You will find some sample below . Idea is to simply extract these field .
Field Need to be extracted
"received_from" => "1.1.1.1",
"syslog_facility_code" => 1,
"hostname" => "FW-DOS01",
"syslog_message" => "user: kyloren, timestamp: 18:21 04/12/22, device: FW-DOS01, name: PG-FW-01-DD, action: Update, type: Protection Group, message: , descr_short: Updated Protection Group PG-FW-01-DD, descr_long: Updated Protection Group PG-FW-01-DD, url: https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161",
"type" => "syslog",
"host" => "1.1.1.1",
"syslog_severity_code" => 6,
"syslog_severity" => "informational",
"@timestamp" => 2022-04-12T16:21:37.000Z,
"received_at" => "2022-04-12T18:21:37.379Z",
"syslog_pri" => "14",
"syslog_timestamp" => "Apr 12 18:21:37",
"syslog_program" => "NSI",
"message" => "<14>Apr 12 18:21:37 FW-DOS01 NSI: user: kyloren, timestamp: 18:21 04/12/22, device: FW-DOS01, name: PG-FW-01-DD, action: Update, type: Protection Group, message: test, descr_short: Updated Protection Group PG-FW-01-DD, descr_long: Updated Protection Group PG-FW-01-DD, url: https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161",
"user:" => "kyloren"
"action:" => "Update"
"message:" =>"test"
"name:" => "PG-FW-01-DD"
"type:" => "Protection Group"
"descr_short:" => "Updated Protection Group PG-FW-01-DD"
"descr_long:" => "Updated Protection Group PG-FW-01-DD"
"url:" => "https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161"
"tags" => [
[0] "FW-DD01"
Audit Log Sample
<14>Apr 13 11:06:22 FW-DOS01 NSI: user: kyloren, timestamp: 11:06 04/13/22, device: FW-DOS01, name: PG-FW-01-DD, action: Update, type: Protection Group, message: test , descr_short: Updated Protection Group PG-FW-01-DD, descr_long: Updated Protection Group PG-FW-01-DD, url: https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161
<14>Apr 13 10:33:01 FW-DOS01 NSI: user: kyloren, timestamp: 10:32 04/13/22, device: FW-DOS01, name: Updated server type ST-TEST-ED, action: Update, type: system, message: test , descr_short: Updated server type ST-FW-FFS url: https://FW-DOS01/audittrail?audit_component=1&audit_obj_id=113
<14>Apr 13 11:09:22 FW-DOS01 NSI: user: kyloren, timestamp: 11:09 04/13/22, device: FW-DOS01, name: Backup, action: Edit, type: Backup, message: , descr_short: Created configuration backup, url: https://FW-DOS01/audittrail?audit_component=17&audit_obj_id=0
<14>Apr 13 11:08:22 FW-DOS01 NSI: user: kyloren, timestamp: 11:08 04/13/22, device: FW-DOS01, name: Disk, action: Delete, type: Filesystem, message: , descr_short: Deleted file from 1.1.1.1, descr_long: File: ext0ext1capture-lelynx.pcap, url: https://FW-DOS01/audittrail?audit_component=19&audit_obj_id=2
Logstash pipeline used
input {
udp {
port => 514
type => syslog
tags => ["FW-DD01"]
}
}
filter {
if "FW-DD01" in [tags] {
grok {
match => { "message" => "(<%{POSINT:priority}>)?%{SYSLOGTIMESTAMP:syslog_timestamp} ?(%{SYSLOGHOST:hostname})? %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri {
syslog_pri_field_name => "syslog_pri"
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
index => "auditAem-00001"
hosts => ["https://es-node-01:9200"]
ssl => true
ssl_certificate_verification => true
cacert => "/etc/logstash/elasticsearch-ca.pem"
manage_template => true
user => "elastic"
password => ''
codec => "plain"
}
}
I've tried to use KV but it's not working . can you please help me to find achieve my goal .
kv {
source => "syslog_message"
field_split => ","
trim_key => "<>\[\], "
trim_value => "<>\[\],"