clay584 · November 20, 2014 20:34
diff --git a/gistfile1.json b/gistfile1.json
 {
  "_index": "logstash-2014.11.21",
  "_type": "syslog",
  "_id": "NDGHjnB_RF24TbKFdcCfiA",
  "_score": 1.0,
  "_source": {
    "message": "2014-11-20T19:00:07-05:00 10.0.0.34 orl-asa-fp sf: [Primary Detection Engine (6c462a00-43ae-11e4-954c-a4aa6fe94c69)][Presidio Lab - Internet Access Policy] Connection Type: End, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware Lookups | Monitor All, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: https://sn-cc-nbox.presidiolab.local, Interface Ingress: outside, Interface Egress: inside, Security Zone Ingress: Outside, Security Zone Egress: Inside, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 8, Responder Packets: 10, Initiator Bytes: 1598, Responder Bytes: 2606, Context: unknown {TCP} 10.254.1.19:50300 -> 10.4.4.15:443",
    "@version": "1",
    "@timestamp": "2014-11-21T00:00:07.000Z",
    "type": "syslog",
    "tags": [
      "netsyslog",
      "grok_ran"
    ],
    "host": "orl-syslog",
    "path": "/var/log/network.log",
    "syslog_datetime": "2014-11-20T19:00:07-05:00",
    "syslog_host": "10.0.0.34",
    "device_host": "orl-asa-fp",
    "device_module": "sf",
    "pri_detection_engine": "6c462a00-43ae-11e4-954c-a4aa6fe94c69",
    "sf_policy": "Presidio Lab - Internet Access Policy",
    "connection_type": "End",
    "user": "Unknown",
    "client": "SSL client",
    "app_protocol": "HTTPS",
    "webapp": "Unknown",
    "acl_rule_name": "Malware Lookups | Monitor All",
    "acl_rule_action": "Allow",
    "acl_rule_reason": "Unknown",
    "url_category": "Unknown",
    "url_reputation": "Risk unknown",
    "url": "https://sn-cc-nbox.presidiolab.local",
    "ingress_interface": "outside",
    "egress_interface": "inside",
    "ingress_sec_zone": "Outside",
    "egress_sec_zone": "Inside",
    "sec_intel_match_ip": "None",
    "sec_intel_category": "None",
    "client_version": "(null)",
    "num_file_events": 0,
    "num_ips_events": 0,
    "tcp_flags": "0x0",
    "netbios_domain": "(null)",
    "initiator_packets": 8,
    "responder_packets": 10,
    "initiator_bytes": 1598,
    "responder_bytes": 2606,
    "context": "unknown",
    "protocol": "TCP",
    "source_ip": "10.254.1.19",
    "source_port": "50300",
    "dest_ip": "10.4.4.15",
    "dest_port": "443",
    "test_datetime": "2014-11-20T19:00:07-05:00"
  }
 }
	{
	"_index": "logstash-2014.11.21",
	"_type": "syslog",
	"_id": "NDGHjnB_RF24TbKFdcCfiA",
	"_score": 1.0,
	"_source": {
	"message": "2014-11-20T19:00:07-05:00 10.0.0.34 orl-asa-fp sf: [Primary Detection Engine (6c462a00-43ae-11e4-954c-a4aa6fe94c69)][Presidio Lab - Internet Access Policy] Connection Type: End, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware Lookups \| Monitor All, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: https://sn-cc-nbox.presidiolab.local, Interface Ingress: outside, Interface Egress: inside, Security Zone Ingress: Outside, Security Zone Egress: Inside, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 8, Responder Packets: 10, Initiator Bytes: 1598, Responder Bytes: 2606, Context: unknown {TCP} 10.254.1.19:50300 -> 10.4.4.15:443",
	"@version": "1",
	"@timestamp": "2014-11-21T00:00:07.000Z",
	"type": "syslog",
	"tags": [
	"netsyslog",
	"grok_ran"
	],
	"host": "orl-syslog",
	"path": "/var/log/network.log",
	"syslog_datetime": "2014-11-20T19:00:07-05:00",
	"syslog_host": "10.0.0.34",
	"device_host": "orl-asa-fp",
	"device_module": "sf",
	"pri_detection_engine": "6c462a00-43ae-11e4-954c-a4aa6fe94c69",
	"sf_policy": "Presidio Lab - Internet Access Policy",
	"connection_type": "End",
	"user": "Unknown",
	"client": "SSL client",
	"app_protocol": "HTTPS",
	"webapp": "Unknown",
	"acl_rule_name": "Malware Lookups \| Monitor All",
	"acl_rule_action": "Allow",
	"acl_rule_reason": "Unknown",
	"url_category": "Unknown",
	"url_reputation": "Risk unknown",
	"url": "https://sn-cc-nbox.presidiolab.local",
	"ingress_interface": "outside",
	"egress_interface": "inside",
	"ingress_sec_zone": "Outside",
	"egress_sec_zone": "Inside",
	"sec_intel_match_ip": "None",
	"sec_intel_category": "None",
	"client_version": "(null)",
	"num_file_events": 0,
	"num_ips_events": 0,
	"tcp_flags": "0x0",
	"netbios_domain": "(null)",
	"initiator_packets": 8,
	"responder_packets": 10,
	"initiator_bytes": 1598,
	"responder_bytes": 2606,
	"context": "unknown",
	"protocol": "TCP",
	"source_ip": "10.254.1.19",
	"source_port": "50300",
	"dest_ip": "10.4.4.15",
	"dest_port": "443",
	"test_datetime": "2014-11-20T19:00:07-05:00"
	}
	}
No results found