We use a default filter for syslog messages, so they get parsed properly. However I wondered if it would be possible to match the message against a secondary pattern and extract new fields from the message:
Dec 4 14:12:46 10.1.1.254,149 338732: 338728: *Dec 4
13:13:38.097 GMT: %SEC-6-IPACCESSLOGP: list FILTER_INTERNET_IN denied
tcp 1.2.3.4(53261) -> 5.6.7.8(5000), 1 packet
In this case i would like to store the 1.2.34 in a new field like offending_ip
That would actually parse the entire log you can take as much of it as you want. I dont know what your initial syslog part config looks like but if you post it I can show you how this would go in your config.
You could also grok in multiple passes. If you have a basic syslog grok pattern, you could use conditionals and regular expressions to test for lines that have IPs in them, and then further grok those fields. You'd just have to use that field name in stead of "message" in subsequent grok blocks.
}
.... i have been trying al sort of thing for quite some time but could not make it to work ...
I have several Cisco Devices which i want to send its log to this elk but i can't . i have this on my kibana which shows log is being shipped but i cant analyse base on source ip, port etc etc ...
message:<166>32926208: ha-ir1: Mar 28 23:50:24: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list INCOMING-FILTER denied udp 81.221.15.0(45498) GigabitEthernet0/0/0-> 202.134.25.220(53), 1 packet @version:1 @timestamp:March 28th 2017, 23:50:25.251 type:syslog host:10.254.36.190 tags:_grokparsefailure syslog_severity_code:5 syslog_facility_code:1 syslog_facility:user-level syslog_severity:notice _id:AVsUicjuYvvnRQWpC-6b _type:syslog _index:logstash-2017.0 .... appreciate someone would help out
hi Jack
i comment on your post with my config and you suggest i should start a new thread. Please share your idea about my idea where i wrong as i really need this to work for my situation ... thanks in advance for your time and support
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.