Parsing firewall logs in logstash

secsec · July 14, 2023, 10:45am

Hello,

our sophos firewall are sending logs to filebeat, then filebeat send to logstash. In logstash im trying to separate field called "action" to be able to filter it under elasticsearch. So far no luck. I managed to create new field "event.action" that , but the value what is shown for this event.action is "%{action}". So it is not getting value real "action" value. Code is below. Also please see the image below from elasticsearch:

ctrl.vi/i/M-7pR2uI1

Does please anyone know how i can get "action" value from syslog message? Im struggling with this at least 3 days.

Many thanks for all of your answers.

filter {
grok {
match => { "message" => '<%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{WORD:hostname} %{WORD:process}[%{POSINT:pid}]: id="%{INT:id}" severity="%{WORD:severity}" sys="%{WORD:sys}" sub="%{WORD:sub}" name="%{DATA:name}" action="%{WORD:action}" fwrule="%{INT:fwrule}" initf="%{DATA:initf}" srcmac="%{DATA:srcmac}" dstmac="%{DATA:dstmac}" srcip="%{IP:srcip}" dstip="%{IP:dstip}" proto="%{INT:proto}" length="%{INT:length}" tos="%{DATA:tos}" prec="%{DATA:prec}" ttl="%{INT:ttl}"' }
}

mutate {
add_field => {
"[event][action]" => "%{action}"
}
remove_field => ["action"]
}
}

leandrojmp · July 14, 2023, 1:31pm

Can you share a sample message of your logs?

From what you shared a big part of your message is a key-value message which you can easily parse using the kv filter instead of using grok.

Also, your mutate is wrong, you need the order of the operations to be preserved, so you need to use two mutate blocks, if you have add_field and then remove_field with the same field, it may remove the field before it creates the new one.

This is in the documentation:

Each mutation must be in its own code block if the sequence of operations needs to be preserved.

Try this:

mutate {
    add_field => {
        "[event][action]" => "%{action}"
    }
}
mutate {
    remove_field => ["action"]
}

Or you can just use a rename

mutate {
    rename => {
        "action" => "[event][action]"
    }
}

system · August 11, 2023, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing firewall logs in logstash Logstash	7	2497	January 20, 2020
Filter Logs from Firewall Logstash	4	1849	April 22, 2019
Sophos UTM syslog message parsing with Logstash Logstash	2	1570	July 9, 2019
How to strip events from message field? Logstash syslog Logstash	8	703	August 18, 2021
Logstash filter for firewall packet drops Logstash	3	586	January 5, 2021

Parsing firewall logs in logstash

Related topics