Hi,
Im trying to make sense when grokking syslog output from a watchguard. Id like it to split into more fields than im actually getting e.g. port, source ip, destination ip etc etc etc... At present in my logstash conf im using:
input {
tcp {
port => 5140
type => syslog
}
udp {
port => 5140
type => syslog
}
}
filter {
if [type] == "syslog" {
syslog_pri { }
}
if [type] == "syslog"{
mutate {
gsub => [
"message", "^(<\b(?:[1-9][0-9]*)\b>\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?$
]
}
}
if [type] == "syslog" and [message] =~ "RT_FLOW" {
grok {
match => { "message" => "<%{POSINT:priority}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?(?:%{SYSLOGHOST:logsource} )?%{SYSLOGPROG}: %{$
overwrite => [ "message" ]
}
}
else if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:priority}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) +(?:%{SYSLOGFACILITY} )?(?:%{SYSLOGHOST:logsource} )?(?:afeb0 )?(?:%{$
overwrite => [ "message" ]
}
}
if [program] == "cron" {
grok {
match => { "message" => "(%{USER:user}) %{CRON_ACTION:action} ( *%{DATA:command})" }
}
}
else if ([program] == "PFE_FW_SYSLOG_IP" or ([program] == "/kernel" and [message] =~ "^FW: ")) {
grok {
match => { "message" => "FW: %{NOTSPACE:interface_name} *%{WORD:action} *%{WORD:protocol_name} %{IPV4:source_address} %{IPV4:destination_address} *%{WORD:source_port_or_type} *%{WORD$
}
}
}
output {
elasticsearch {
hosts => ["elastic1:9201"]
sniffing => true
manage_template => false
}
if [type] == "syslog" and "_grokparsefailure" in [tags] {
file { path => "/var/log/logstash/failed_syslog_events-%{+YYYY-MM-dd}" }
}
}
Any help would be great 