Parsing firewall logs in logstash

Hello,

our sophos firewall are sending logs to filebeat, then filebeat send to logstash. In logstash im trying to separate field called "action" to be able to filter it under elasticsearch. So far no luck. I managed to create new field "event.action" that , but the value what is shown for this event.action is "%{action}". So it is not getting value real "action" value. Code is below. Also please see the image below from elasticsearch:

ctrl.vi/i/M-7pR2uI1

Does please anyone know how i can get "action" value from syslog message? Im struggling with this at least 3 days.

Many thanks for all of your answers.

filter {
grok {
match => { "message" => '<%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{WORD:hostname} %{WORD:process}[%{POSINT:pid}]: id="%{INT:id}" severity="%{WORD:severity}" sys="%{WORD:sys}" sub="%{WORD:sub}" name="%{DATA:name}" action="%{WORD:action}" fwrule="%{INT:fwrule}" initf="%{DATA:initf}" srcmac="%{DATA:srcmac}" dstmac="%{DATA:dstmac}" srcip="%{IP:srcip}" dstip="%{IP:dstip}" proto="%{INT:proto}" length="%{INT:length}" tos="%{DATA:tos}" prec="%{DATA:prec}" ttl="%{INT:ttl}"' }
}

mutate {
add_field => {
"[event][action]" => "%{action}"
}
remove_field => ["action"]
}
}

Can you share a sample message of your logs?

From what you shared a big part of your message is a key-value message which you can easily parse using the kv filter instead of using grok.

Also, your mutate is wrong, you need the order of the operations to be preserved, so you need to use two mutate blocks, if you have add_field and then remove_field with the same field, it may remove the field before it creates the new one.

This is in the documentation:

Each mutation must be in its own code block if the sequence of operations needs to be preserved.

Try this:

mutate {
    add_field => {
        "[event][action]" => "%{action}"
    }
}
mutate {
    remove_field => ["action"]
}

Or you can just use a rename

mutate {
    rename => {
        "action" => "[event][action]"
    }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.