OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Logstash parsing with new logging
« previous next »
  • Print
Pages: [1]

Author Topic: Logstash parsing with new logging  (Read 3824 times)

G

  • Newbie
  • *
  • Posts: 20
  • Karma: 2
    • View Profile
Logstash parsing with new logging
« on: August 09, 2019, 05:31:49 pm »
HI,
I'm sharing this here for others to use. It's far from perfect, but a starting point for mainly FW hits.

filter {
  if [type] == "opnsense" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:fw_name} %{WORD:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
# filterlog #######################################################
    if [syslog_program] == "filterlog" {
        grok {
          match => { "syslog_message" => "(%{WORD:rulenr}),,,(%{WORD:rid}),(%{WORD:interface}),(%{WORD:reason}),(%{WORD:action}),(%{WORD:dir}),(%{WORD:version}),(%{WORD:tos}),,(%{NUMBER:ttl}),(%{NUMBER:id}),(%{NUMBER:offset}),(%{WORD:ipflags}),(%{NUMBER:protonumber}),(%{WORD:protocol}),(%{NUMBER:length}),(%{IP:src_ip}),(%{IP:dst_ip}),(%{NUMBER:src_port}),(%{NUMBER:dst_port}),(%{NUMBER:datalen})" }
          add_field => [ "parsed", "filterlog" ]
        }
    }
# unbound ########################################################
    if [syslog_program] == "unbound" {
       grok {
         match => { "syslog_message" => "%{GREEDYDATA:syslog_message2}"}
         add_field => [ "parsed", "unbound" ]
       }
    } 
# devd ###########################################################
    if [syslog_program] == "devd" {
       grok {
         match => { "syslog_message" => "%{GREEDYDATA:syslog_message2}"}
         add_field => [ "parsed", "devd" ]
       }
    }
# openvpn ########################################################
    if [syslog_program] == "openvpn" {
       grok {
         match => { "syslog_message" => "%{GREEDYDATA:syslog_message2}"}
         add_field => [ "parsed", "openvpn" ]
       }
    }
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2769
  • Karma: 200
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Logstash parsing with new logging
« Reply #1 on: August 09, 2019, 06:52:58 pm »
Wenn es noch funktioniert (habe es noch nicht mit dem neuen syslog server getestet):

https://github.com/fabianfrz/opnsense-logstash-config
Logged

abraxxa

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 7
    • View Profile
Re: Logstash parsing with new logging
« Reply #2 on: August 09, 2019, 10:51:50 pm »
Yes, that still works for me.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Logstash parsing with new logging
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2