Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

# NetScreen firewall logs NETSCREENSESSIONLOG - Now is RFC5424, so not parsing. #162

Open
dneto82 opened this issue Jul 6, 2016 · 1 comment

Comments

@dneto82
Copy link

dneto82 commented Jul 6, 2016

Hi Friends,

Trying to implement logstash to collect data from my netscreen devices (6.3.0r21), but i noticed the syslog format wasn`t parsed correctly. After some grok search I noticed the log format is RFC5424.

Sample:

`<189>SSG-SITE1175: NetScreen device_id=SSG-SITE1175 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:27" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=40 src=172.30.144.251 dst=224.0.0.18 session_id=0 reason=Traffic Denied

<133>SSG-SITE0006: NetScreen device_id=SSG-SITE0006 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:28" duration=0 policy_id=89 service=dns proto=17 src zone=ZONE-A dst zone=Untrust action=Permit sent=0 rcvd=0 src=172.23.110.3 dst=192.31.1192.60 src_port=51435 dst_port=53 src-xlated ip=172.23.110.3 port=51435 dst-xlated ip=192.31.1192.60 port=53 session_id=7004 reason=Creation
`

My conf:

`input {
tcp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
udp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
} # Input Block END

filter {
if [type] == "syslog" {
grok {
match => ["message", "%{NETSCREENSESSIONLOG}"]
}
}

} # Filter Block END

output {
if "traffic" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "firewall-traffic-%{+YYYY.MM}"
`

  • Version:
    www-apps/kibana-bin-4.5.1::gentoo
    app-admin/logstash-bin-2.3.3::gentoo
    app-misc/elasticsearch-2.3.3::gentoo
  • Operating System: Funtoo x64

I Think this can be related to this enchancement.

Now I`m trying to make a new grok pattern

@blacksd
Copy link

blacksd commented Aug 12, 2017

Hi,
are you sure that it's really RFC5424? If I got it right, the VERSION number (the one after the PRI) isn't optional, and the timestamp is missing/out of place.

It looks like a custom format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants