What is the propper way to create in logstash checkpoint filter

Elastic Stack Logstash
1

I have a ELK stack in my server, in other pc i have filebeat listening for Checkpoint syslogs. I know i have to write the filters in a .conf file. This is mine :

filter{
  
  if "checkpoint-firewall" in [tags] {
    grok {
      match => [
        "message" => "<%{POSINT:priority}>%{MONTH:mes}%{SPACE}%{MONTHDAY:dia}%{SPACE}%{HOUR:hora}:%{MINUTE:minuto}:%{SECOND:segundo}?%{ISO8601_TIMEZONE:zona_horaria}?%{SPACE}%{IP:host}{SPACE}%{WORD:}"
      ]
    }
    kv {
      source => "raw_message"
      value_split => '=\"'
      allow_duplicate_values => true
    } 
  } 
}

But Logstash complains and dont recieve the Logs, what am i doing bad?
EDIT, I found The Log:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \",\", \"]\" at line 16, column 19 (byte 284) after filter{\n  \n  if \"checkpoint-firewall\" in [tags] {\n    grok {\n      match => [\n        \"message\" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}
2

What exactly is the error message?

3

there is not exactly an error, the CPU goes to 150 % of ussage and in Kibana i doesnt appear the information. In the logs it just goes normal

4

That should be

match => {
    "message" => "<%{POSINT:priority}>%{MONTH:mes}%{SPACE}%{MONTHDAY:dia}%{SPACE}%{HOUR:hora}:%{MINUTE:minuto}:%{SECOND:segundo}?%{ISO8601_TIMEZONE:zona_horaria}?%{SPACE}%{IP:host}{SPACE}%{WORD:}"
}

with {} instead of

5

now it works , THANKS !, other question. Logstash acepts the log :

[2021-05-19T08:29:50,708][DEBUG][logstash.filters.grok    ][main][fb358952f29e1e1ccd44ae271051e29ae564d49519648d285f66b1d3f3b955c0] Running grok filter {:event=>{"@timestamp"=>2021-05-19T08:29:49.446Z, "message"=>"<85>May 19 09:29:47+01:00 192.168.1.1 Action=\"accept\" inzone=\"Internal\" outzone=\"External\" service_id=\"HTTPS\" src=\"192.168.1.1\" dst=\"107.1.1.1\" proto=\"6\" xlatesrc=\"1.1.1.1\" xlatedst=\"\" NAT_rulenum=\"0\" NAT_addtnl_rulenum=\"0\" user=\"\" src_user_name=\"\" src_machine_name=\"\" src_user_dn=\"\" snid=\"\" dst_user_name=\"\" dst_machine_name=\"\" dst_user_dn=\"\" UP_match_table=\"TABLE_START\" ROW_START=\"0\" match_id=\"0\" layer_uuid=\"xxxxxxxxx\" layer_name=\"internal\" rule_uid=\"xxxxxxxx\" rule_name=\"Implied Rule \" ROW_END=\"0\" ROW_START=\"1\" match_id=\"xxxxxxx\" layer_uuid=\"xxxxxxx\" layer_name=\"Outgoing\" rule_uid=\"xxxxxx\" rule_name=\"Outgoing Default Policy\" ROW_END=\"1\" UP_match_table=\"TABLE_END\" gateway_id=\"xxxx" ProductName=\"xxxxx" svc=\"xx\" sport_svc=\"xxxx\" xlatedport_svc=\"\" xlatesport_svc=\"xxx\" ProductFamily=\"\" \n", "log"=>{"source"=>{"address"=>"1.1.1.1:xx"}}, "fileset"=>{"name"=>"firewall"}, "ecs"=>{"version"=>"x.x.x"}, "tags"=>["checkpoint-firewall", "forwarded", "beats_input_codec_plain_applied"], "service"=>{"type"=>"checkpoint"}, "event"=>{"dataset"=>"checkpoint.firewall", "timezone"=>"+0x:00", "module"=>"checkpoint"}, "@version"=>"1", "input"=>{"type"=>"udp"}, "agent"=>{"id"=>"xxxxx", "name"=>"xx-MV", "type"=>"filebeat", "version"=>"7.12.1", "hostname"=>"xxxx-MV", "ephemeral_id"=>"xxxxx"}}}
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.