Justine Schmidt
Reputation: 1
Output Logstash - Grok filter for Fortigate 6.4 syslog
I installed some Logstash docker-compose thing, working with Elastic and Kibana, not so bad. But I've been struggling for some time to find the appropriate Grok filter to my Elastic output, but I need your kind help...
Here is an example of log from a Fortigate 6.4, displayed in Kibana Discover.
@timestamp:Sep 22, 2023 @ 17:08:49.500 @version:1 facility:0 facility_label:kernel host:X.X.X.X message:<45>date=2023-09-22 time=17:07:46 devname="DEVICE1" devid="GTSV5865" eventtime=1695395266695275960 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=X.X.X.X srcname="SWITCH-SOMEWHERE" identifier=125970 srcintf="vlanZZ" srcintfrole="lan" dstip=X.X.X.X dstintf="INTERNET" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Google-ICMP" dstcountry="United States" dstregion="California" dstcity="Mountain View" dstreputation=5 sessionid=193890225 proto=1 action="deny" policyid=0 policytype="policy" service="Google-ICMP" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vwlid=2 vwlquality="Seq_num(12 wan2), alive, sla(0x1), gid(1), cfg_order(0), cost(0), selected" vwlname="SVC_INTERNET" appcat="unscanned" crscore=30 craction=131072 crlevel="high" srchwvendor="Cisco" devtype="Network" srcfamily="Router"
First, I'd like to index each value contained in the "message" field(date, time, devname, devid etc...).
Then, I'd like to adapt it to a second kafka output to only redirect logs with those fileds : srcip, dstip, sentbytes and rcvdbyte.
Jeez, I have absolutely no comprehension with Python like code, I'd be really grateful for any help, explanation, even encouragement ahah!
Tried these filters, with no luck :
filter {
if [type] == "Fortimanager" {
grok {
match => { "message" => "message:<%{POSINT:logid}>date=%{DATE:date} time=%{TIME:time} devname=\"%{DATA:devname}\" devid=\"%{DATA:devid}\" eventtime=%{INT:eventtime} tz=\"%{DATA:tz}\" logid=\"%{DATA:logid}\" type=\"%{DATA:type}\" subtype=\"%{DATA:subtype}\" level=\"%{DATA:level}\" vd=\"%{DATA:vd}\" srcip=%{IP:srcip} srcname=\"%{DATA:srcname}\" identifier=%{INT:identifier} srcintf=\"%{DATA:srcintf}\" srcintfrole=\"%{DATA:srcintfrole}\" dstip=%{IP:dstip} dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{DATA:dstintfrole}\" srccountry=\"%{DATA:srccountry}\" dstinetsvc=\"%{DATA:dstinetsvc}\" dstcountry=\"%{DATA:dstcountry}\" dstregion=\"%{DATA:dstregion}\" dstcity=\"%{DATA:dstcity}\" dstreputation=%{INT:dstreputation} sessionid=%{INT:sessionid} proto=%{INT:proto} action=\"%{DATA:action}\" policyid=%{INT:policyid} policytype=\"%{DATA:policytype}\" service=\"%{DATA:service}\" trandisp=\"%{DATA:trandisp}\" duration=%{INT:duration} sentbyte=%{INT:sentbyte} rcvdbyte=%{INT:rcvdbyte} sentpkt=%{INT:sentpkt} rcvdpkt=%{INT:rcvdpkt} vwlid=%{INT:vwlid} vwlquality=\"%{DATA:vwlquality}\" vwlname=\"%{DATA:vwlname}\" appcat=\"%{DATA:appcat}\" crscore=%{INT:crscore} craction=%{INT:craction} crlevel=\"%{DATA:crlevel}\" srchwvendor=\"%{DATA:srchwvendor}\" devtype=\"%{DATA:devtype}\" srcfamily=\"%{DATA:srcfamily}\"" }
}
mutate {
remove_field => ["message", "facility", "facility_label", "host", "time", "devname", "devid", "eventtime", "tz", "logid", "level", "vd", "srcuuid", "dstuuid", "srccountry", "dstinetsvc", "dstinetsvc", "dstcity", "dstreputation", "sessionid", "proto", "action", "policyid", "policytype", "poluuid", "service", "trandisp", "transip", "transport", "appid", "app", "appcat", "apprisk", "applist"]
}
}
}
KO
kv {
source => "message"
field_split => " "
}
}
}
KO
filter {
if [type] == "fortimanager" {
grok {
match => {
"message" => "message:<%{POSINT:logid}>date=%{DATE:date} time=%{TIME:time} devname=\"%{DATA:devname}\" devid=\"%{DATA:devid}\" eventtime=%{INT:eventtime} tz=\"%{DATA:tz}\" logid=\"%{DATA:logid}\" type=\"%{DATA:type}\" subtype=\"%{DATA:subtype}\" level=\"%{DATA:level}\" vd=\"%{DATA:vd}\" appid=%{INT:appid} srcip=%{IP:srcip} dstip=%{IP:dstip} srcport=%{INT:srcport} dstport=%{INT:dstport} srcintf=\"%{DATA:srcintf}\" srcintfrole=\"%{DATA:srcintfrole}\" dstintf=\"%{DATA:dstintf}\" dstintfrole=\"%{DATA:dstintfrole}\" proto=%{INT:proto} service=\"%{DATA:service}\" action=\"%{DATA:action}\" policyid=%{INT:policyid} sessionid=%{INT:sessionid} appcat=\"%{DATA:appcat}\" app=\"%{DATA:app}\" hostname=\"%{DATA:hostname}\" incidentserialno=%{INT:incidentserialno} url=\"%{DATA:url}\" msg=\"%{DATA:msg}\" apprisk=\"%{DATA:apprisk}\" scertcname=\"%{DATA:scertcname}\" scertissuer=\"%{DATA:scertissuer}\""
}
}
}
}
KO
filter {
if [type] == "fortimanager" {
grok {
match => {
"message" => "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$|(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|) %{GREEDYDATA:syslog5424_sd}$"
}
}
}
}
KO
filter {
if [type] == "fortimanager" {
grok {
match => {
"message" => "message:<%{POSINT:logid}> %{GREEDYDATA:UNWANTED} devname=\"%{HOSTNAME:devname}\" %{GREEDYDATA:UNWANTED}
}
}
}
}
Upvotes: 0
Views: 547
Answers (0)
Related Questions
- Netfilter syslog message Grok pattern
- logstash grok filter pattern
- grok expression for Sophos syslog
- Automatically parse logs fields with Logstash
- Parsing data with grok filter on logstash
- Logstash grok filter for collectd metrics data
- Logstash Grok error
- Grok Filter Error in Logstash
- Regex in config for dynamic columns in logstash