Parsing nested logs


#1

Hello,
I've been testing the logstash (1.5.0) in order to process a log generated from a fortianalyzer (by fortinet) without being successful. I have to say it's my first try with logstash so I kindly appreciate some help.

here is my .conf file:
input {
file {
path => "/var/log/fortisyslog.log"
type => fortisyslog
}
}

filter {
grok {
match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) ?%{SYSLOGHOST:logsource} severity=%{WORD:severity} from=MYSOURCE(%{WORD:fazsou
rce}) trigger=%{WORD:customer}-%{WORD:famprod} log=%{GREEDYDATA:flog}" }
}
kv {
}
}

output {
if [type] == "fortisyslog" {
stdout {
codec => json
}
}
}

the input is the following line:
2015-06-15T09:13:58.415212+02:00 1.2.2.120 severity=medium from=MYSOURCE(ABCDE0000001) trigger=customer-SLA log="date=2015-06-15 time=09:13:53 itime=1434352437 devname=ASSSDDR44331638 devid=ASSSDDR44331638 logid=18432 type=utm subtype=ips eventtype=anomaly level=alert vd=root severity=critical srcip=1.2.3.48 dstip=1.2.3.55 srcintf="internal1" policyid=N/A identidx=N/A sessionid=0 status=detected proto=17 service=137/udp count=39 attackname="udp_scan" srcport=137 dstport=137 attackid=285212776 sensor="DoS-policy3" ref="http://www.fortinet.com/ids/VID285212776" msg="anomaly: udp_scan, 41 > threshold 40, repeats 39 times" crscore=3422552114 craction=4096"

the output is:
{"message":"2015-06-15T09:13:58.415212+02:00 1.2.2.120 severity=medium from=MYSOURCE(ABCDE0000001) trigger=customer-SLA log="date=2015-06-15 time=09:13:53 itime=1434352437 devname=ASSSDDR44331638 devid=ASSSDDR44331638 logid=18432 type=utm subtype=ips eventtype=anomaly level=alert vd=root severity=critical srcip=1.2.3.48 dstip=1.2.3.55 srcintf="internal1" policyid=N/A identidx=N/A sessionid=0 status=detected proto=17 service=137/udp count=39 attackname="udp_scan" srcport=137 dstport=137 attackid=285212776 sensor="DoS-policy3" ref="http://www.fortinet.com/ids/VID285212776" msg="anomaly: udp_scan, 41 > threshold 40, repeats 39 times" crscore=3422552114 craction=4096" ","@version":"1","@timestamp":"2015-06-15T07:14:04.083Z","type":"fortisyslog","host":"slav4","path":"/var/log/fortisyslog.log","timestamp8601":"2015-06-15T09:13:58.415212+02:00","logsource":"1.2.2.120","severity":"medium","fazsource":"ABCDE0000001","customer":"customer","famprod":"SLA","flog":""date=2015-06-15 time=09:13:53 itime=1434352437 devname=ASSSDDR44331638 devid=ASSSDDR44331638 logid=18432 type=utm subtype=ips eventtype=anomaly level=alert vd=root severity=critical srcip=1.2.3.48 dstip=1.2.3.55 srcintf="internal1" policyid=N/A identidx=N/A sessionid=0 status=detected proto=17 service=137/udp count=39 attackname="udp_scan" srcport=137 dstport=137 attackid=285212776 sensor="DoS-policy3" ref="http://www.fortinet.com/ids/VID285212776" msg="anomaly: udp_scan, 41 > threshold 40, repeats 39 times" crscore=3422552114 craction=4096" ","from":"MYSOURCE(ABCDE0000001)","trigger":"customer-SLA","log":"date=2015-06-15 time=09:13:53 itime=1434352437 devname=ASSSDDR44331638 devid=ASSSDDR44331638 logid=18432 type=utm subtype=ips eventtype=anomaly level=alert vd=root severity=critical srcip=1.2.3.48 dstip=1.2.3.55 srcintf=","policyid":"N/A","identidx":"N/A","sessionid":"0","status":"detected","proto":"17","service":"137/udp","count":"39","attackname":"udp_scan","srcport":"137","dstport":"137","attackid":"285212776","sensor":"DoS-policy3","ref":"http://www.fortinet.com/ids/VID285212776","msg":"anomaly: udp_scan, 41 > threshold 40, repeats 39 times","crscore":"3422552114","craction":"4096""}

It looks like the field flog is parsed till the second occurence of the character -"- . How can I overcome this problem?

Thanks in advance.

Luciano


(system) #2