Using pre-defined grok patterns

ThreatInter · April 26, 2021, 5:31am

Hi, community. I just discovered that logstash has pre-defined grok patterns, for firewalls, for example (here logstash-patterns-core/patterns at master · logstash-plugins/logstash-patterns-core · GitHub). But I can't understand how I should use them. Can you tell me how I can use pre-defined grok-patterns?
Suppose I want parse ASA-firewall syslog messages. So I should make it like this:

filter {
    grok {
	patterns_dir => ["/path/to/ASA_patterns"]
        match => { "message" => ["CISCOFW104001","CISCOFW104002",...,]}
        remove_field => ["message","@timestamp"]
    }
}

?

grumo35 · April 26, 2021, 8:59am

Hi, you should try this :

filter {
grok  {
				patterns_dir => "/path/to/ASA_patterns"
				match => ["message" => "%{CISCOFW104001}"]
			}
}

i'm not sure about the array stuff for severals pattern at a time, let me know if you manage tu use more than one.

ThreatInter · April 26, 2021, 9:50am

Thank you for you answer. I'm already made some tries and has understand how it works, maybe I will try few patterns too.

Badger · April 26, 2021, 4:31pm

ThreatInter:

    grok {
	patterns_dir => ["/path/to/ASA_patterns"]
        match => { "message" => ["CISCOFW104001","CISCOFW104002",...,]}
        remove_field => ["message","@timestamp"]
    }

That should work, but you do not need the patterns_dir option. You are using one of the bundled patterns files that are loaded automatically.

ThreatInter · April 27, 2021, 4:48am

Yea, figured it out. Now have another problem - can't use my custom patterns:

path: /opt/experimental/logstash_patterns/

in this directory I have 2 subdir, same as pre-defined, just changed some of patterns little bit

my configuration:

      grok {
        patterns_dir => ["/opt/experimental/logstash_patterns"]
        match => { "message" => ["%{CISCOFW104001}","%{CISCOFW104002}","%{CISCOFW104003}", "%{CISCOFW104004}", "%{CISCOFW105003}",
        "%{CISCOFW105004}", "%{CISCOFW105005}", "%{CISCOFW105008}", "%{CISCOFW105009}", "%{CISCOFW106001}", "%{CISCOFW106006_106007_106010}",
        "%{CISCOFW106014}", "%{CISCOFW106015}", "%{CISCOFW106021}", "%{CISCOFW106023}", "%{CISCOFW106100_2_3}", "%{CISCOFW106100}","%{CISCOFW304001}",
        "%{CISCOFW110002}", "%{CISCOFW302010}", "%{CISCOFW302013_302014_302015_302016}", "%{CISCOFW302020_302021}","%{CISCOFW305011}",
        "%{CISCOFW313001_313004_313008}","%{CISCOFW313001_313004_313008_custom}", "%{CISCOFW313005}", "%{CISCOFW321001}", "%{CISCOFW402117}", "%{CISCOFW402119}","%{CISCOFW419001}",
        "%{CISCOFW419002}", "%{CISCOFW500004}", "%{CISCOFW602303_602304}", "%{CISCOFW710001_710002_710003_710005_710006}","%{CISCOFW713172}", "%{CISCOFW733100}"
        ]}
      }

And parsing doesn't working. What could be the problem? Also tried this path:

/opt/experimental/logstash_patterns/ecs-v1

P.S. Solved it.

system · May 25, 2021, 4:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.