Hi all,
I have a log that is created from various different source servers. Using Wazuh, each item is forwarded to this one log which is then intended to go off to a remote QRADAR server.
Wazuh is adding its own part to the log and I've managed to create a conf file that removes everything that logstash and filebeat adds which gets me to this:
{"message":"2022 Aug 05 07:45:43 logServer01->192.22.0.5 Aug 05 2022 07:45:43 FIREWALL01 : %ASA-6-302020: Built inbound ICMP connection for faddr 172.10.123.456/24592 gaddr 172.10.132.456/0 laddr 172.10.123.186/0 type 8 code 0 "}
My problem is that the QRADAR server will still see this log entry as coming from logserver01 and not as though it's coming from 192.22.0.5 ie Firewall01. If I could delete everything before and including -> I think I should be on the right path. Could one of you geniuses advise me on how to achieve that please?
My conf file looks like this:
input {
beats {
port => "5044"
# type => "log"
}
}
filter {
date {
match => [ 'syslog_timestamp', 'ISO8601' ]
remove_field => [ 'syslog_timestamp' ]
}
mutate {
remove_field => [ "log.level", "@timestamp", "log.logger", "ecs", "log", "path", "tags", "@version", "input", "agent", "type", "name", "event", $
}
# if [type] == "syslog" {
# grok {
# match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log-level} \[%{DATA:class}\]:%{GREEDYDATA:message}" }
# }
# }
}
output {
file {
path => "/tmp/testfile.log"
}
}