iptables Grok Pattern

iptables.grok

# GROK Custom Patterns (add to patterns directory and reference in GROK filter for iptables events):
# GROK Patterns for iptables Logging Format
#
# Created 6 Aug 2016 by Brian Turek <[email protected]>
# Most of this was taken from another source but now I cannot find it for credit
#
# Usage: Use the IPTABLES pattern

NETFILTERMAC %{MAC:dest_mac}:%{MAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))

IPTABLES_ETHERNET IN=%{DATA:iface}? OUT=%{DATA:oface}? MAC=%{NETFILTERMAC}?

IPTABLES_PORT_PAIR SPT=%{INT:src_port} DPT=%{INT:dest_port}

IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
IPTABLES_TCP_SEQ SEQ=%{INT:sequence_number} ACK=%{INT:ack_number}
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{INT:tcp_window} RES=%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags}
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{INT:incomplete} bytes\]

IPTABLES_UDP_DETAILS LEN=%{INT:data_length}

IPTABLES_ICMP_EXTRA_ECHO ID=%{INT:icmp_echo_id} SEQ=%{INT:icmp_echo_sequence}
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{INT:icmp_parameter}
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect}
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
IPTABLES_ICMP_DETAILS TYPE=%{INT:icmp_type} CODE=%{INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
IPTABLES_ICMP_NESTED \[%{IPTABLES_IP_START}%{IPTABLES_IP_STDPROTOCOLS}\s*\]

IPTABLES_PROTOCOL PROTO=%{WORD:proto}

IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?

IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dest_ip} LEN=%{INT:length} TOS=%{BASE16NUM:tos} PREC=%{BASE16NUM:prec} TTL=%{INT:ttl} ID=%{INT:id}(?: %{IPTABLES_IP_FRAGFLAG:flags})?(?: FRAG: %{INT:fragment})?
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}

IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP}