Syslog firewall filter

Hello guys,

I'm very new in this field, I would like to filter this log from raspberry pi syslog firewall:
Nov 25 22:21:22 raspberrypi kernel: [26172.577441] DROP UNMATCHED IN-world:IN=eth0 OUT= MAC=01:00:5e:00:00:fb:aa:e7:68:57:d7:dc:08:00 SRC=192.168.100.9 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=2 ID=31930 PROTO=UDP SPT=5353 DPT=5353 LEN=69
With gork. Unfortunately I don't know how to.
But I would like to get this kind of json:
{
timestamp: xxxx.xx.xx
source_ip: x.x.x.x
destination_ip: x.x.x.x
source_port: xx
destination_port: xx
action: DROP
}
I also would like to create a reverse DNS lookup for source_ip .
Please help!

You could try

    grok {
        match => { "message" => "%{SYSLOGTIMESTAMP:[@metadata][ts]} %{WORD} %{WORD:level}: \[%{NUMBER:something:float}\] %{DATA:msg}:%{GREEDYDATA:[@metadata][restOfLine]}" }
    }
    date { match => [ "[@metadata][ts]", "MMM dd HH:mm:ss" ] }
    kv { source => "[@metadata][restOfLine]" whitespace => strict }

which will produce

       "TTL" => "2",
       "DPT" => "5353",
        "ID" => "31930",
       "DST" => "224.0.0.251",
     "level" => "kernel",
       "SRC" => "192.168.100.9",
       "TOS" => "0x00",
      "PREC" => "0x00",
     "PROTO" => "UDP",
       "SPT" => "5353",
       "LEN" => [
    [0] "89",
    [1] "69"
],
       "msg" => "DROP UNMATCHED IN-world",
        "IN" => "eth0",
 "something" => 26172.577441,
       "MAC" => "01:00:5e:00:00:fb:aa:e7:68:57:d7:dc:08:00",

whitespace => strict is needed to correctly interpret the OUT= with no value.

You can use a dns filter to do the PTR lookup.

Thank you very much Badger! It's more than perfect.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.