I have managed to stand up an ELK stack on an Ubuntu host to bring in my NGINX logs, which is all working well.
I have now tried to expand this to bring in firewall logs from my USG Pro Firewall and am running into some issues when trying to formulate a GROK formula!
Example log:
Feb 12 10:08:12 USG-Pro-4 kernel: [WAN_OUT-2000-D]IN=eth0.20 OUT=eth2 MAC=fc:ec:da:48:75:63:d8:0d:17:f0:2f:cd:08:00:45:00:00:2c SRC=192.168.20.69 DST=13.200.17.13 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=58512 PROTO=TCP SPT=59296 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
Using GROK Debug, I have managed to construct the following grok formula which parses everything from [WAN_OUT-2000] onwards correctly:
\[%{WORD:interface}-%{WORD:ruleindex}-%{WORD:action}\]IN=%{NOTSPACE:IN}%{SPACE}OUT=%{NOTSPACE:OUT}%{SPACE}MAC=%{NOTSPACE:MAC}%{SPACE}SRC=%{NOTSPACE:SRCIP}%{SPACE}DST=%{NOTSPACE:DSTIP}%{SPACE}LEN=%{WORD:LEN}%{SPACE}TOS=%{WORD:TOS}%{SPACE}PREC=%{WORD:PREC}%{SPACE}TTL=%{WORD:TTL}%{SPACE}ID=%{WORD:ID}%{SPACE}(%{NOTSPACE:PROTO}| DF PROTO)=%{WORD:DF}%{SPACE}SPT=%{WORD:SPT}%{SPACE}DPT=%{WORD:DPT}
Any ideas on how to parse the date, hostname and source would be greatly appreciated!