Using pre-defined grok patterns

ThreatInter · April 26, 2021, 5:31am

Hi, community. I just discovered that logstash has pre-defined grok patterns, for firewalls, for example (here logstash-patterns-core/patterns at master · logstash-plugins/logstash-patterns-core · GitHub). But I can't understand how I should use them. Can you tell me how I can use pre-defined grok-patterns?
Suppose I want parse ASA-firewall syslog messages. So I should make it like this:

filter {
    grok {
	patterns_dir => ["/path/to/ASA_patterns"]
        match => { "message" => ["CISCOFW104001","CISCOFW104002",...,]}
        remove_field => ["message","@timestamp"]
    }
}

?

grumo35 · April 26, 2021, 8:59am

Hi, you should try this :

filter {
grok  {
				patterns_dir => "/path/to/ASA_patterns"
				match => ["message" => "%{CISCOFW104001}"]
			}
}

i'm not sure about the array stuff for severals pattern at a time, let me know if you manage tu use more than one.

ThreatInter · April 26, 2021, 9:50am

Thank you for you answer. I'm already made some tries and has understand how it works, maybe I will try few patterns too.

Badger · April 26, 2021, 4:31pm

ThreatInter:

    grok {
	patterns_dir => ["/path/to/ASA_patterns"]
        match => { "message" => ["CISCOFW104001","CISCOFW104002",...,]}
        remove_field => ["message","@timestamp"]
    }

That should work, but you do not need the patterns_dir option. You are using one of the bundled patterns files that are loaded automatically.

ThreatInter · April 27, 2021, 4:48am

Yea, figured it out. Now have another problem - can't use my custom patterns:

path: /opt/experimental/logstash_patterns/

in this directory I have 2 subdir, same as pre-defined, just changed some of patterns little bit

my configuration:

      grok {
        patterns_dir => ["/opt/experimental/logstash_patterns"]
        match => { "message" => ["%{CISCOFW104001}","%{CISCOFW104002}","%{CISCOFW104003}", "%{CISCOFW104004}", "%{CISCOFW105003}",
        "%{CISCOFW105004}", "%{CISCOFW105005}", "%{CISCOFW105008}", "%{CISCOFW105009}", "%{CISCOFW106001}", "%{CISCOFW106006_106007_106010}",
        "%{CISCOFW106014}", "%{CISCOFW106015}", "%{CISCOFW106021}", "%{CISCOFW106023}", "%{CISCOFW106100_2_3}", "%{CISCOFW106100}","%{CISCOFW304001}",
        "%{CISCOFW110002}", "%{CISCOFW302010}", "%{CISCOFW302013_302014_302015_302016}", "%{CISCOFW302020_302021}","%{CISCOFW305011}",
        "%{CISCOFW313001_313004_313008}","%{CISCOFW313001_313004_313008_custom}", "%{CISCOFW313005}", "%{CISCOFW321001}", "%{CISCOFW402117}", "%{CISCOFW402119}","%{CISCOFW419001}",
        "%{CISCOFW419002}", "%{CISCOFW500004}", "%{CISCOFW602303_602304}", "%{CISCOFW710001_710002_710003_710005_710006}","%{CISCOFW713172}", "%{CISCOFW733100}"
        ]}
      }

And parsing doesn't working. What could be the problem? Also tried this path:

/opt/experimental/logstash_patterns/ecs-v1

P.S. Solved it.

system · May 25, 2021, 4:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cisco ASA Patterns in Logstash 1.5.1 Logstash	10	8731	July 6, 2017
_grokparsfailure on core patterns Logstash	10	1446	January 19, 2017
_grokparsefailure even though the right patterns are there Logstash	5	648	August 17, 2017
Migrating Filter/Plugin/Pattern to Logstash 1.5 Logstash	4	2628	July 6, 2017
Cisco ASA firewall patterns Logstash	2	1320	April 19, 2017

Using pre-defined grok patterns

Related topics