Sophos UTM syslog message parsing with Logstash

skills · June 11, 2019, 1:26pm

Hi all,

I am struggling to parse Sophos Firewall Syslog messages with logstash. Log format is as follows:

Jun 11 14:23:57 10.11.223.44 2019:06:11-14:23:57 bewg-t2-ff2-2 ulogd[23094]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="d8:94:03:g6:cd:27" dstmac="00:1a:8c:g0:62:69" srcip="103.188.113.55" dstip="133.222.233.233" proto="6" length="40" tos="0x00" prec="0x00" ttl="242" srcport="54040" dstport="52938" tcpflags="SYN"

So far I was able to parse up to the ip (would like also to parse custom fields like scrip, destip and so on) with the following grok match:

filter {
   grok {
    match => { "message" => "^%{MONTH:month} %{MONTHDAY:day} %{TIME:time} %{IP:ip}" }
      }
  mutate { add_field => {"timedate" => "%{month} %{day} %{time}"}}

  mutate { rename => ["ip", "logsource"]}
  mutate { rename => ["host","syslog-collector"]}
  mutate { remove_field => ["month","day","time"]}
}

Reason why I created timedate field is because @timestamp is not the same as the timedate extracted from the logs:
"timedate" => "Jun 11 05:25:23",
"@timestamp" => 2019-06-11T11:48:23.942Z,

Any help would be much appreciated.

Badger · June 11, 2019, 2:21pm

I would use dissect rather than grok

    dissect { mapping => { "message" => "%{} %{} %{} %{logsource} %{[@metadata][ts]} %{} %{}[%{}]: %{[@metadata][restOfLine]}" } }
    kv { source => "[@metadata][restOfLine]" }
    date { match => [ "[@metadata][ts]", "YYYY:MM:dd-HH:mm:ss" ] }

system · July 9, 2019, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.