Sidewinder Firewall Syslog

Hi All,

Thanks for helping me sort out my previous issue which is about FortiGate firewall FortiGate Firewall

I have another one which is Sidewinder firewall.
Can anyone guide me which is the simple way to parse in logstash.

Here is sample Syslog. I would like to extract source ip, dstip, srcport, dstport, dst_geo, application,etc.

          <133>Oct 30 00:02:02 sw1 auditd: date="2013-10-30 05:02:02 +0000",fac=f_dns_proxy,area=a_proxy,type=t_nettraffic,pri=p_major,pid=2083,logid=0,cmd=dnsp,hostname=sw1.dtc.local,event="session end",netsessid=686a0527092ca,srcip=10.38.1.28,srcport=61132,srczone=internal,protocol=17,dst_geo=RU,dstip=83.xx4.xx.228,dstport=53,dstzone=external,bytes_written_to_client=185,bytes_written_to_server=42,rule_name="Outbound Web_4",cache_hit=1,start_time="2013-10-30 05:02:02 +0000",application=DNS

           <133>Oct 30 01:22:20 sw1 auditd: date="2013-10-30 06:22:20 +0000",fac=f_dns_proxy,area=a_proxy,type=t_nettraffic,pri=p_major,pid=2083,logid=0,cmd=dnsp,hostname=sw1.dtc.local,event="session end",netsessid=3ea405270a59c,srcip=10.38.1.28,srcport=61132,srczone=internal,protocol=17,dst_geo=US,dstip=4.53.58.200,dstport=53,dstzone=external,bytes_written_to_client=241,bytes_written_to_server=41,rule_name="Outbound Web_4",cache_hit=1,start_time="2013-10-30 06:22:20 +0000",application=DNS

Hi John,

This can be done using the KV filter in logstash. Have you tried this out?

https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html

Regards,
N

Thanks, Nerd. Let me try with previous kv filter and see. Hope it will works.

Sure!

Also, here is a repo for some Security specific logstash configuration files.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.