Hello,
our sophos firewall are sending logs to filebeat, then filebeat send to logstash. In logstash im trying to separate field called "action" to be able to filter it under elasticsearch. So far no luck. I managed to create new field "event.action" that , but the value what is shown for this event.action is "%{action}". So it is not getting value real "action" value. Code is below. Also please see the image below from elasticsearch:
ctrl.vi/i/M-7pR2uI1
Does please anyone know how i can get "action" value from syslog message? Im struggling with this at least 3 days.
Many thanks for all of your answers.
filter {
grok {
match => { "message" => '<%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{WORD:hostname} %{WORD:process}[%{POSINT:pid}]: id="%{INT:id}" severity="%{WORD:severity}" sys="%{WORD:sys}" sub="%{WORD:sub}" name="%{DATA:name}" action="%{WORD:action}" fwrule="%{INT:fwrule}" initf="%{DATA:initf}" srcmac="%{DATA:srcmac}" dstmac="%{DATA:dstmac}" srcip="%{IP:srcip}" dstip="%{IP:dstip}" proto="%{INT:proto}" length="%{INT:length}" tos="%{DATA:tos}" prec="%{DATA:prec}" ttl="%{INT:ttl}"' }
}
mutate {
add_field => {
"[event][action]" => "%{action}"
}
remove_field => ["action"]
}
}