Want to stitch 1 DHCP log line to several NAT log line matching with MAC address

A_S_M_Shamim_Reza · October 10, 2018, 12:09pm

I am taking DHCP assign log and NAT log from mikrotik router. I have manage to split those logs with specific terms.
Now i want to stitch the DHCP assign log with the NAT log, where the MAC address and IP address will be similar from both end; And it will be like - 1 dhcp log line will be stitched with hundreds of NAT log lines.

Below is the logstash.conf file.
Would be glad if there is any help.

input {
  beats {
    port => 5443
    ssl => false
    type => "beats_events"
  }
 }
filter {
  if [type] == "beats_events" {
  grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:date}(%{DATA:LogPrefix})? (%{DATA:LogChain})?: in:(%{DATA:src_zone})? out:(%{DATA:dst_zone})?, src-mac (%{MAC:srcmac})?, proto (%{DATA:proto})?, (%{IP:src_ip})?:(%{INT:src_port})?->(%{IP:dst_ip})?:(%{INT:dst_port})?, len (%{INT:length})?" }
      match => { "message" => "%{SYSLOGTIMESTAMP:date} %{DATA:DHCP_zone} %{WORD:DHCP_status} %{IP:src_ip} (?:from|to) %{MAC:srcmac}" }
      }
     }
   }

output {
  if [type] == "beats_events" {
  elasticsearch { hosts => ["localhost:9200"]
    hosts => "localhost:9200"
    manage_template => false
    index => "beats-%{+YYYY.MM.dd}"
    document_type => "aggregate"
  }
}
}

below is plain text log that i get -

Oct 10 18:00:06 27.132.96.9 nat: dhcp2 assigned 192.168.1.254 to 64:BC:0C:7D:8A:3C
Oct 10 18:00:06 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:38364->123.200.0.254:53, len 60
Oct 10 18:00:06 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:63507->123.200.0.254:53, len 75
Oct 10 18:00:06 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:48324->172.217.27.36:443, len 60
Oct 10 18:00:06 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:42107->74.125.24.94:80, len 60
Oct 10 18:00:07 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:44113->123.200.0.254:53, len 67
Oct 10 18:00:07 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:49222->64.233.177.188:443, len 60
Oct 10 18:00:07 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:53439->123.200.0.254:53, len 70
Oct 10 18:00:07 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:46927->123.200.0.254:53, len 61
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:49091->74.125.24.93:443, len 1378
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:35370->123.200.0.254:53, len 72
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:40520->74.125.24.138:443, len 60
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:51251->123.200.0.254:53, len 69
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:51199->123.200.0.254:53, len 57
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:48334->74.125.68.155:443, len 60
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:46455->74.125.24.93:443, len 60
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:38426->123.200.0.254:53, len 64
Oct 10 18:00:08 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:41253->74.125.130.95:443, len 60
Oct 10 18:00:09 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto UDP, 192.168.1.254:48285->172.217.194.119:443, len 1378
Oct 10 18:00:09 27.132.96.9 nat: nat srcnat: in:(none) out:ether7, src-mac 64:bc:0c:7d:8a:3c, proto TCP (SYN), 192.168.1.254:41254->74.125.130.95:443, len 60

A_S_M_Shamim_Reza · October 11, 2018, 7:20am

Any help ? Any one, please ?

system · November 8, 2018, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.