Dear All,
I may ask for the impossible, but maybe you can help me out... Even formulating the title bit hard and it may be misleading.
I have a logfile structure of a firewall that has some possible actions:
Allow; Drop; Block and according to this I can set up pretty good filters...
BUT... I have a part like this:
192.168.0.10|27189||eth0
dstIP|dstPort||outIF
This can sometime look like this:
192.168.0.10|443|https|eth0
dstIP|dstPort|dstService|outIF
here I use this for the pipes: (?|)...(?|)
the issue is, if there is not well known service associated to the port we have 2 pipe symbols next to each other where there is nothing in between.
Is there a possibility to not mess up the whole parsing?
I mean if I have %{WORD:dstPort} then it is followedby 1 character "|" which separates the dstProtocol if there is any. and the another "|" and it goes on...
is there a way to tell logstash that if there are 2 consecutive "|"-s there may be something in between? basically one tries to select nothing...
My best solution was so far to make it via regx but then I have a | at the end of the dstPort field and the dstProtocol is euther a single "|" or "|https"...
any help is much appreciated.
Thanks!
Regards,
Gergö