Skip to content

Commit

Permalink
Extractor for 1600-0065
Browse files Browse the repository at this point in the history
Add extractor for DHCP related logs, adding GROK pattern, extractor  and lookup entry - please update related csv file on /etc/graylog
Closes #8
  • Loading branch information
ThoZed committed Jun 18, 2018
1 parent 982d548 commit 3aa6616
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 2 deletions.
1 change: 1 addition & 0 deletions LookupTables/fireware_msg_id_lookup_table.csv
Original file line number Diff line number Diff line change
Expand Up @@ -573,3 +573,4 @@
"7001-0008","INFO","Mobile Security / Endpoint Manager","Mobile device Not Compliant","Mobile device compliance status is Not Compliant, because it does not meet the compliance requirements."
"7001-0009","INFO","Mobile Security / Endpoint Manager","Mobile device user session recreated","User session is recreated because the mobile device IP address changed."
"7002-0000","INFO","Mobile Security / Endpoint Manager","Mobile device Authorization Agreement sign action","The Device Authorization Agreement is either accepted or declined by a user at the specified local time."
"1600-0065","INFO","Networking / DHCP Server","DHCP Message","DHCP related Messages generated by builtin DHCP-Server"
15 changes: 14 additions & 1 deletion content_pack_input.json
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@
"converters": [],
"condition_type": "NONE",
"condition_value": "",
"order": 12
"order": 13
}, {
"title": "Firewall PacketFilter INFO 3000-0148",
"type": "GROK",
Expand Down Expand Up @@ -191,6 +191,19 @@
"condition_type": "REGEX",
"condition_value": "^.*tcp|udp|icmp.*\((.*)\)$",
"order": 1
}, {
"title": "Networking DHCP INFO 1600-0065",
"type": "GROK",
"cursor_strategy": "COPY",
"target_field": "",
"source_field": "message",
"configuration": {
"grok_pattern": "^.*\\) %{NOTSPACE:service}\\[%{NOTSPACE:process}\\]: msg_id=\"1600-0065\" %{DHCPMESSAGE:dhcp_message} to %{IPV4:dhcp_clientip} \\(%{MAC:dhcp_clientmac}\\) via vlan%{NOTSPACE:dhcp_clientvlan}"
},
"converters": [],
"condition_type": "REGEX",
"condition_value": "^.*msg_id=\"1600-0065\".*",
"order": 12
}
]
}],
Expand Down
6 changes: 5 additions & 1 deletion content_pack_lookuptables.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@
"streams": [],
"outputs": [],
"dashboards": [],
"grok_patterns": [],
"grok_patterns": [{
"name": "DHCPMESSAGE",
"pattern": "(DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK|DHCPNAK|DHCPRELEASE|DHCPDECLINE)"
}
],
"lookup_tables": [{
"title": "Lookup Table Fireware msg ID to Description",
"description": "Lookup Table for Watchguard msg ID's - http://www.watchguard.com/help/docs/fireware/11/en-US/log_catalog/index.html",
Expand Down

0 comments on commit 3aa6616

Please sign in to comment.