Parse the middle of a loog

Sebastian_Herrera · April 5, 2018, 11:19pm

hello i am new with the filtering, i am having a log and i want to parse it but i am having an issue. My log is
Mar 23 11:59:11 CLL21DCIDS01-IDS snort[26109]: [137:1:2] (spp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.16.247:51650 -> 52.184.227.73:443

i was hable to parse until (spp_ssl). The thing is that now i want to save in a field all until [Priority but i dont know how. then i will continue parsing the priority the protocol and so on.

my filter now is this one

filter {
grok{
    match=>{"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} \[%{NOTSPACE:mynumber}\] (%{NOTSPACE:otraVariable}) %{GREEDYDATA:message}"}
    overwrite => [ "message" ]
}
mutate {
        copy => { "loglevel" => "loglevel_tmp" }
       }
mutate {
        split => ["loglevel_tmp", "["]
        add_field => { "hostType" => "%{loglevel_tmp[0]}" }
        add_field => { "ruleId" => "%{loglevel_tmp[1]}" }
       }
mutate{
        remove_field => [ "loglevel_tmp","loglevel" ]
}

}

MariumHassan · April 6, 2018, 12:27pm

Hi, I think this is what you are looking for:

grok{
    match=>{"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} \[%{NOTSPACE:mynumber}\] (%{NOTSPACE:otraVariable}) %{DATA:data}Priority: %{INT:priority}"}
}

and then you can simply remove the field "data" using:

mutate 
{
  remove_field =>  ["data"]
}

system · May 4, 2018, 12:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.