Hi All,
Hope you are good!!
I need your help on how syslog configuration with the following raw event that is unstructured, how to parsing using grok filter:
2020-10-05T00:00:00+02:00 x.x.x.x 3 0 1 1 229eb9 1020 20201005 00:00:00 1 6 Allow_All y.y.y.y 49120 t.t.t.t 8098 eth0 eth1 S```2N/A4```` 2020-10-05T00:00:00+02:00 x.x.x.x 3011229eb910202020100500:00:0036Allow_Ally.y.y.y49120t.t.t.t8098eth0eth1````4014012`2S ra2`N/A`4```` 2020-10-05T00:00:00+02:00 x.x.x.x 3`0`1`1`229eb9`1020`20201005`00:00:00`3`6`Allow_All`y.y.y.y`14024`t.t.t.t`443`eth0`eth1````2358`23`21250`21``31`0``S sa A / fa A+2N/A4 2020-10-05T00:00:00+02:00 x.x.x.x 3`0`1`1`229eb9`1020`20201005`00:00:00`3`17`Allow_All`y.y.y.y`51106`t.t.t.t`53`eth1`eth07311141``10`````2N/A4 2020-10-05T00:00:00+02:00 x.x.x.x 3`0`1`1`229eb9`1021`20201005`00:00:00`2`6`UTM_DEFAULT`y.y.y.y`40443`t.t.t.t`16492`eth5`none401```````S```0``4```` 2020-10-05T00:00:00+02:00 x.x.x.x 3011229eb910202020100500:00:0016Allow_Ally.y.y.y46733t.t.t.t443eth0eth1 RA 2N/A4```` 2020-10-05T00:00:00+02:00 x.x.x.x 3011229eb910202020100500:00:0036Allow_Ally.y.y.y46733t.t.t.t443eth0eth1````5210032`0RA2N/A` 4````
2020-10-05T00:00:00+02:00 x.x.x.x
etc....
from the above information, this is the raw event from IPS( Ihave modified the IP information)
where you find: x.x.x.x is the IP of security device(log source IP/host IP)
y.y.y.y is the source IP information and t.t.t.t is the destination IP information
all these are the Traffic from the device(IPS).
On the above raw events there are other information that we will need their fields and this is how it looks:
time: yyyy-mm-dd hh-mm-ss
host=x.x.x.x
host_name=xname
src_ip: y.y.y.y
dest_ip:t.t.t.t
src_port:49120
dest_port:8098
action: allow (here the value can be either allow or block or teardown)
signature: jjjjjj
signature eg:http_method or DoS ,etc...(here this is the signature information that will be also included in the fields)
Here I give an example of how it looks but the value are all dynamic/changing everytime.
from this information above I want the configuration that will allow me to receive logs from device(IPS). Kindly help on how to do parsing for the above raw events data from IPS. Thank you in advance.