Syslog firewall filter

Elastic Stack Logstash
1

Hello guys,

I'm very new in this field, I would like to filter this log from raspberry pi syslog firewall:
Nov 25 22:21:22 raspberrypi kernel: [26172.577441] DROP UNMATCHED IN-world:IN=eth0 OUT= MAC=01:00:5e:00:00:fb:aa:e7:68:57:d7:dc:08:00 SRC=192.168.100.9 DST=224.0.0.251 LEN=89 TOS=0x00 PREC=0x00 TTL=2 ID=31930 PROTO=UDP SPT=5353 DPT=5353 LEN=69
With gork. Unfortunately I don't know how to.
But I would like to get this kind of json:
{
timestamp: xxxx.xx.xx
source_ip: x.x.x.x
destination_ip: x.x.x.x
source_port: xx
destination_port: xx
action: DROP
}
I also would like to create a reverse DNS lookup for source_ip .
Please help!

2

You could try

    grok {
        match => { "message" => "%{SYSLOGTIMESTAMP:[@metadata][ts]} %{WORD} %{WORD:level}: \[%{NUMBER:something:float}\] %{DATA:msg}:%{GREEDYDATA:[@metadata][restOfLine]}" }
    }
    date { match => [ "[@metadata][ts]", "MMM dd HH:mm:ss" ] }
    kv { source => "[@metadata][restOfLine]" whitespace => strict }

which will produce

       "TTL" => "2",
       "DPT" => "5353",
        "ID" => "31930",
       "DST" => "224.0.0.251",
     "level" => "kernel",
       "SRC" => "192.168.100.9",
       "TOS" => "0x00",
      "PREC" => "0x00",
     "PROTO" => "UDP",
       "SPT" => "5353",
       "LEN" => [
    [0] "89",
    [1] "69"
],
       "msg" => "DROP UNMATCHED IN-world",
        "IN" => "eth0",
 "something" => 26172.577441,
       "MAC" => "01:00:5e:00:00:fb:aa:e7:68:57:d7:dc:08:00",

whitespace => strict is needed to correctly interpret the OUT= with no value.

You can use a dns filter to do the PTR lookup.

3

Thank you very much Badger! It's more than perfect.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.