Graylog Grok Patterns for WatchGuard Syslog

WatchGuard_Graylog_Grok.txt

######################
WatchGuard doesn't send standardized messages meaning you have to create
different extractors for different scenarios

######################

# Temporarily host blocks
# String to match: Temporarily blocking host

%{IPV4:blocked_host}

# Outbound traffic, missing some fields, has some extra fields

%{NOTSPACE:firewall_name} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} msg_id=%{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{BASE10NUM:UNWANTED} %{NOTSPACE:protocol} %{BASE10NUM:UNWANTED} %{BASE10NUM:UNWANTED} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} geo_dst=%{QUOTEDSTRING:dst_country}

# Zabbix traffic comes in differently
# String to match: 10050

%{NOTSPACE:firewall_name} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} msg_id=%{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} app_id=%{QUOTEDSTRING:app_id} app_cat_id=%{QUOTEDSTRING:app_cat_id} geo_dst=%{QUOTEDSTRING:dst_country} duration=%{QUOTEDSTRING:duration} sent_bytes=%{QUOTEDSTRING:sent_bytes} rcvd_bytes=%{QUOTEDSTRING:received_bytes}

# Main extractor
# String to match: app_name

%{NOTSPACE:firewall_name} %{NOTSPACE:UNWANTED} %{NOTSPACE:proxy_name} %{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} %{NOTSPACE:UNWANTED}%{QUOTEDSTRING:request_type} proxy_act=%{QUOTEDSTRING:proxy_act} tls_profile=%{QUOTEDSTRING:tls_profile} tls_version=%{QUOTEDSTRING:tls_version} sni=%{QUOTEDSTRING:sni} cn=%{QUOTEDSTRING:canonical_name} cert_issuer=%{QUOTEDSTRING:cert_issuer} cert_subject=%{QUOTEDSTRING:cert_subject} action=%{QUOTEDSTRING:UNWANTED} app_id=%{QUOTEDSTRING:app_id} app_cat_id=%{QUOTEDSTRING:app_cat_id} app_name=%{QUOTEDSTRING:app_name} app_cat_name=%{QUOTEDSTRING:app_cat_name} sent_bytes=%{QUOTEDSTRING:sent_bytes} rcvd_bytes=%{QUOTEDSTRING:received_bytes} geo_dst=%{QUOTEDSTRING:dst_country}

# HTTP Args extraction
# String to match: arg
%{NOTSPACE:firewall_name} %{NOTSPACE:syslog_timestamp} %{NOTSPACE:proxy_name} %{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:src_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} msg=%{QUOTEDSTRING:wg_message} proxy_act=%{QUOTEDSTRING:proxy_act} cats=%{QUOTEDSTRING:category} op=%{QUOTEDSTRING:http_method} dstname=%{QUOTEDSTRING:dest_name} arg=%{QUOTEDSTRING:http_query_args} geo_dst=%{QUOTEDSTRING:dst_country}

# cert_issuer extraction
# String to match: cert_issuer

%{NOTSPACE:firewall_name} %{NOTSPACE:syslog_timestamp} %{NOTSPACE:proxy_name} %{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} %{NOTSPACE:UNWANTED}%{QUOTEDSTRING:request_type} proxy_act=%{QUOTEDSTRING:proxy_act} tls_profile=%{QUOTEDSTRING:tls_profile} tls_version=%{QUOTEDSTRING:tls_version} sni=%{QUOTEDSTRING:sni} cn=%{QUOTEDSTRING:canonical_name} cert_issuer=%{QUOTEDSTRING:cert_issuer} cert_subject=%{QUOTEDSTRING:cert_subject} action=%{QUOTEDSTRING:UNWANTED} app_id=%{QUOTEDSTRING:app_id} app_cat_id=%{QUOTEDSTRING:app_cat_id} sent_bytes=%{QUOTEDSTRING:sent_bytes} rcvd_bytes=%{QUOTEDSTRING:received_bytes} geo_dst=%{QUOTEDSTRING:dst_country}

# app_beh_name (what even is that?) extraction
# String to match: app_beh_name

%{NOTSPACE:firewall_name} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} msg_id=%{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{BASE10NUM:UNWANTED} %{NOTSPACE:protocol} %{BASE10NUM:UNWANTED} %{BASE10NUM:UNWANTED} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} %{NOTSPACE:UNWANTED} %{BASE10NUM:UNWANTED} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} app_name=%{QUOTEDSTRING:app_name} cat_name=%{QUOTEDSTRING:category} app_beh_name=%{NOTSPACE:app_beh_name} app_id=%{QUOTEDSTRING:app_id} app_cat_id=%{QUOTEDSTRING:app_cat_id} app_ctl_disp=%{QUOTEDSTRING:app_ctl_disp } geo_dst=%{QUOTEDSTRING:dst_country} msg=%{QUOTEDSTRING:wg_message}

# Destination name extraction
# String to match: dstname

%{NOTSPACE:firewall_name} %{NOTSPACE:UNWANTED} %{NOTSPACE:UNWANTED} msg_id=%{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:source_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} msg=%{QUOTEDSTRING:wg_message} proxy_act=%{QUOTEDSTRING:proxy_act} service=%{QUOTEDSTRING:service} cats=%{QUOTEDSTRING:category} dstname=%{QUOTEDSTRING:dest_name} geo_dst=%{QUOTEDSTRING:dst_country}

# Reputation exctractor
# String to match: reputation

%{NOTSPACE:firewall_name} %{NOTSPACE:syslog_timestamp} %{NOTSPACE:proxy_name} %{NOTSPACE:msg_id} %{NOTSPACE:action} %{NOTSPACE:inside_interface} %{NOTSPACE:dst_interface} %{NOTSPACE:protocol} %{IPV4:src_ip} %{IPV4:destination_ip} %{BASE10NUM:src_port} %{BASE10NUM:dst_port} msg=%{QUOTEDSTRING:wg_message} proxy_act=%{QUOTEDSTRING:proxy_act} op=%{QUOTEDSTRING:http_method} dstname=%{QUOTEDSTRING:dest_name} arg=%{QUOTEDSTRING:http_query_args} sent_bytes=%{QUOTEDSTRING:sent_bytes} rcvd_bytes=%{QUOTEDSTRING:rcvd_bytes} elapsed_time=%{QUOTEDSTRING:elapsed_time} app_id=%{QUOTEDSTRING:app_id} app_cat_id=%{QUOTEDSTRING:app_cat_id} app_name=%{QUOTEDSTRING:app_name} app_cat_name=%{QUOTEDSTRING:app_cat_name} reputation=%{QUOTEDSTRING:reputation}  geo_dst=%{QUOTEDSTRING:dst_country}