OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: deekdeeker on April 29, 2019, 12:56:25 am

Title: Graylog extractor for suricata syslog messages
Post by: deekdeeker on April 29, 2019, 12:56:25 am

Does anyone have a graylog extractor for suricata messages send to syslog? :)

Title: Re: Graylog extractor for suricata syslog messages
Post by: lfirewall1243 on July 01, 2019, 08:53:30 am

i'm looking for it too

Title: Re: Graylog extractor for suricata syslog messages
Post by: mimugmail on July 01, 2019, 09:08:41 am

19.7 will bring better syslog support, hopefully this will fix this

Title: Re: Graylog extractor for suricata syslog messages
Post by: deekdeeker on July 10, 2019, 05:55:57 pm

right now im using this grok pattern to help out.

%{WORD:ips}\[%{NUMBER:UNWANTED}\]: \[%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}\] %{DATA:description} \[Classification:%{DATA:classification}\] \[Priority: %{NUMBER:priority}\] \{%{WORD:protocol}\} %{IP:src_ip}:%{NUMBER:src_port} \-\> %{IP:dst_ip}:%{NUMBER:dst_port}

Title: Re: Graylog extractor for suricata syslog messages
Post by: lfirewall1243 on July 16, 2019, 08:46:13 am

Quote from: deekdeeker on July 10, 2019, 05:55:57 pm

right now im using this grok pattern to help out.

%{WORD:ips}\[%{NUMBER:UNWANTED}\]: \[%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}\] %{DATA:description} \[Classification:%{DATA:classification}\] \[Priority: %{NUMBER:priority}\] \{%{WORD:protocol}\} %{IP:src_ip}:%{NUMBER:src_port} \-\> %{IP:dst_ip}:%{NUMBER:dst_port}

Thanks a lot !!! :)