Merge pull request #19 from ThoZed/develop

Extractors and Dashboard for integration support

LookupTables/fireware_msg_id_lookup_table.csv

@@ -573,3 +573,5 @@
 "7001-0008","INFO","Mobile Security / Endpoint Manager","Mobile device Not Compliant","Mobile device compliance status is Not Compliant, because it does not meet the compliance requirements."
 "7001-0009","INFO","Mobile Security / Endpoint Manager","Mobile device user session recreated","User session is recreated because the mobile device IP address changed."
 "7002-0000","INFO","Mobile Security / Endpoint Manager","Mobile device Authorization Agreement sign action","The Device Authorization Agreement is either accepted or declined by a user at the specified local time."
+"1600-0065","INFO","Networking / DHCP Server","DHCP Message","DHCP related Messages generated by builtin DHCP-Server"
+"1600-0066","INFO","Networking / DHCP Server","DHCP Message","DHCP related Messages generated by builtin DHCP-Server"

README.md

@@ -13,7 +13,7 @@ The logs messages include a message ID which could be extracted by using followi
 
 The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.
 
-With the help od this information it is more easy to read the incoming log messages. Every message provides additional information which could be used for search queries.
+With the help of this information it is more easy to read the incoming log messages. Every message provides additional information which could be used for search queries.
 
 The extractor calls a lookup table which uses a data adapter to read the [csv](LookupTables/fireware_msg_id_lookup_table.csv) file.
 
@@ -46,4 +46,9 @@ please apply the lookuptables first.
 
 ### Extractors
 
-### Dashboards
+### Dashboard
+
+with the **_integrator panel_** you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.
+
+<img src="https://user-images.githubusercontent.com/1869080/41641816-ccbeb338-7466-11e8-9243-bedfc2f2542e.PNG" width="600">
+

content_pack_dashboard.json

@@ -0,0 +1,142 @@
+{
+	"name": "Watchguard Content Pack_apply third",
+	"description": "Watchguard logs parsed by Graylog - Streams and Dashboards for integration incident and presentation",
+	"category": "Firewalls",
+	"inputs": [],
+	"streams": [],
+	"outputs": [],
+	"dashboards": [{
+			"title": "Watchguard - presentation",
+			"description": "Collection of informational charts",
+			"dashboard_widgets": [{
+					"description": "Worldmap - Connections",
+					"type": "org.graylog.plugins.map.widget.strategy.MapWidgetStrategy",
+					"cache_time": 10,
+					"configuration": {
+						"timerange": {
+							"type": "relative",
+							"range": 0
+						},
+						"field": "geo_coords",
+						"query": "device:watchguard"
+					},
+					"col": 1,
+					"row": 1,
+					"height": 2,
+					"width": 2
+				}
+			]
+		}, {
+			"title": "Watchguard - incident",
+			"description": "Shows Errors, Blocks ...",
+			"dashboard_widgets": []
+		}, {
+			"title": "Watchguard - integrator",
+			"description": "show metrics , find problems while extracting",
+			"dashboard_widgets": [{
+					"description": "Overview incoming/unextracted - 7d",
+					"type": "STACKED_CHART",
+					"cache_time": 10,
+					"configuration": {
+						"interval": "minute",
+						"timerange": {
+							"type": "relative",
+							"range": 604800
+						},
+						"renderer": "line",
+						"interpolation": "linear",
+						"series": [{
+								"query": "device:watchguard NOT action:Deny NOT action:Allow NOT _exists_:dhcp_message",
+								"field": "source",
+								"statistical_function": "count"
+							}, {
+								"query": "device:watchguard",
+								"field": "source",
+								"statistical_function": "count"
+							}
+						]
+					},
+					"col": 3,
+					"row": 3,
+					"height": 2,
+					"width": 2
+				}, {
+					"description": "Overview incoming/unextracted - 1h",
+					"type": "STACKED_CHART",
+					"cache_time": 10,
+					"configuration": {
+						"interval": "minute",
+						"timerange": {
+							"type": "relative",
+							"range": 3600
+						},
+						"renderer": "line",
+						"interpolation": "linear",
+						"series": [{
+								"query": "device:watchguard NOT action:Deny NOT action:Allow NOT _exists_:dhcp_message",
+								"field": "source",
+								"statistical_function": "count"
+							}, {
+								"query": "device:watchguard",
+								"field": "source",
+								"statistical_function": "count"
+							}
+						]
+					},
+					"col": 3,
+					"row": 1,
+					"height": 2,
+					"width": 2
+				}, {
+					"description": "missing extractor - 1h - feel free to contribute :-)",
+					"type": "QUICKVALUES",
+					"cache_time": 10,
+					"configuration": {
+						"timerange": {
+							"type": "relative",
+							"range": 3600
+						},
+						"field": "msg_id",
+						"query": "device:watchguard NOT action:Deny NOT action:Allow NOT _exists_:dhcp_message",
+						"show_data_table": true,
+						"limit": 5,
+						"show_pie_chart": false,
+						"sort_order": "desc",
+						"stacked_fields": "",
+						"data_table_limit": 50
+					},
+					"col": 2,
+					"row": 1,
+					"height": 4,
+					"width": 1
+				}, {
+					"description": "missing extractor - 7d - feel free to contribute :-)",
+					"type": "QUICKVALUES",
+					"cache_time": 10,
+					"configuration": {
+						"timerange": {
+							"type": "relative",
+							"range": 604800
+						},
+						"field": "msg_id",
+						"query": "device:watchguard NOT action:Deny NOT action:Allow NOT _exists_:dhcp_message",
+						"show_data_table": true,
+						"limit": 5,
+						"show_pie_chart": false,
+						"sort_order": "desc",
+						"stacked_fields": "",
+						"data_table_limit": 50
+					},
+					"col": 1,
+					"row": 1,
+					"height": 4,
+					"width": 1
+				}
+			]
+		}
+	],
+	"grok_patterns": [],
+	"lookup_tables": [],
+	"lookup_caches": [],
+	"lookup_data_adapters": []
+}

content_pack_input.json

@@ -138,7 +138,7 @@
 					"converters": [],
 					"condition_type": "NONE",
 					"condition_value": "",
-					"order": 12
+					"order": 14
 				}, {
 					"title": "Firewall PacketFilter INFO 3000-0148",
 					"type": "GROK",
@@ -191,6 +191,32 @@
 					"condition_type": "REGEX",
 					"condition_value": "^.*tcp|udp|icmp.*\((.*)\)$",
 					"order": 1
+				}, {
+					"title": "Networking DHCP INFO 1600-0065",
+					"type": "GROK",
+					"cursor_strategy": "COPY",
+					"target_field": "",
+					"source_field": "message",
+					"configuration": {
+						"grok_pattern": "^.*\\) %{NOTSPACE:service}\\[%{NOTSPACE:process}\\]: msg_id=\"1600-0065\" %{DHCPMESSAGE:dhcp_message} (on|to) %{IPV4:dhcp_clientip}( to %{MAC:dhcp_clientmac} \\(%{NOTSPACE:dhcp_clientname}\\) via| \\(%{COMMONMAC:dhcp_clientmac}\\) via) vlan%{NOTSPACE:dhcp_clientvlan}"
+					},
+					"converters": [],
+					"condition_type": "REGEX",
+					"condition_value": "^.*msg_id=\"1600-0065\".*",
+					"order": 12
+				}, {
+					"title": "Networking DHCP INFO 1600-0066",
+					"type": "GROK",
+					"cursor_strategy": "COPY",
+					"target_field": "",
+					"source_field": "message",
+					"configuration": {
+						"grok_pattern": "^.*\\) %{NOTSPACE:service}\\[%{NOTSPACE:process}\\]: msg_id=\"1600-0066\" %{DHCPMESSAGE:dhcp_message} (from|(for %{IPV4:dhcp_clientip}|for %{IPV4:dhcp_clientip} \\(%{IPV4:dhcp_serverip}\\)) from) %{MAC:dhcp_clientmac} (via|\\(%{NOTSPACE:dhcp_clientname}\\) via) vlan%{NUMBER:dhcp_clientvlan}"
+					},
+					"converters": [],
+					"condition_type": "REGEX",
+					"condition_value": "^.*msg_id=\"1600-0066\".*",
+					"order": 13
 				}
 			]
 		}],

content_pack_lookuptables.json

@@ -6,7 +6,11 @@
 	"streams": [],
 	"outputs": [],
 	"dashboards": [],
-	"grok_patterns": [],
+	"grok_patterns": [{
+			"name": "DHCPMESSAGE",
+			"pattern": "(DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK|DHCPNAK|DHCPRELEASE|DHCPDECLINE)"
+		}
+	],
 	"lookup_tables": [{
 			"title": "Lookup Table Fireware msg ID to Description",
 			"description": "Lookup Table for Watchguard msg ID's - http://www.watchguard.com/help/docs/fireware/11/en-US/log_catalog/index.html",