Hi All,
I'm having an issue maybe someone can help me out with, I am trying to parse Meraki flows messages which look like this:
40-filter-meraki.conf
filter {
if "Meraki" in [tags] {
if [log_type] == "flows" {
grok {
match => ["message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (sport=)%{POSINT:sport} (dport=)%{POSINT:dport} (pattern: )%{WORD:allowed} %{WORD}",
"message", "%{SYSLOGPROG} %{BASE10NUM:epoch_time} %{WORD:device} %{WORD:log_event_type} (src=)%{IP:src_ip} (dst=)%{IP:dst_ip} (protocol=)%{WORD:proto} (type=)%{POSINT:tport} (pattern: )%{WORD:allowed} %{WORD}"
]
remove_field => [ "syslog5424_pri", "@version" ]
}#end [log_type] == flows grokshow original
I continually get this in stdout when testing and I have verified the gork works using grokconstructor.
output after meraki filter
{
"@timestamp" => 2018-11-14T16:50:01.080Z,
"tags" => [
[0] "Meraki",
[1] "cisco-meraki"
],
"message" => "<134>1 1542214201.058368310 XX_XXX_MX65W flows src=10.130.1.84 dst=10.158.27.1 protocol=udp sport=58110 dport=161 pattern: allow all",
"host" => "10.209.27.1",
"@version" => "1",
"parsing_problem" => "unfamiliar cisco-meraki log_type."show original
I figured it out, all I did was move everything inside the filter statement and did the logic from there. Thanks
system
December 13, 2018, 6:48pm
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.