Created
June 28, 2015 12:50
-
-
Save dvas0004/d600a65f474f6d313251 to your computer and use it in GitHub Desktop.
Manual OSSIM GROK log parsing (legacy)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######## ALIENVAULT OSSIM Logs ######################################## | |
| if [type] == "ossim-events" { | |
| grok { | |
| patterns_dir => "/elk/logstash-1.5.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns" | |
| match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"] | |
| match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_mac_src='%{MAC:idm_mac_src}' device='%{IP:device}'/>"] | |
| match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"] | |
| match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"] | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment