Skip to content

Instantly share code, notes, and snippets.

@msterhuj

msterhuj/grok_mikrotik_firewall_topic.md

Last active November 8, 2024 14:16
Show Gist options
  • Save msterhuj/276032215aea164c213280a50c7cc378 to your computer and use it in GitHub Desktop.
Save msterhuj/276032215aea164c213280a50c7cc378 to your computer and use it in GitHub Desktop.
Download ZIP
GROK MikroTik topic Firewall syslog
Raw
grok_mikrotik_firewall_topic.md

Befor add a prefix to your firewall filter

/ip firewall filter add chain=forward action=drop log=yes log-prefix="DROP"

And create a pipline with this grok on the field message

%{WORD:firewall.network.action} %{WORD:firewall.network.chain}: in:%{DATA:firewall.network.in_interface} out:%{DATA:firewall.network.out_interface}, connection-state:%{DATA:firewall.network.connection_state} src-mac %{MAC:firewall.source.mac}, proto %{DATA:firewall.network.protocol}, %{IPV4:firewall.source.ip}(?::%{NUMBER:firewall.source.port})?->%{IPV4:firewall.destination.ip}(?::%{NUMBER:firewall.destination.port})?, len %{NUMBER:firewall.network.bytes}

Example input

DROP input: in:interface_name_in out:interface_name_out, connection-state:new src-mac 00:00:00:00:00:00, proto UDP, 10.0.0.0:123->10.0.0.0:123, len 123

Example output

    "firewall": {
      "destination": {
        "port": "123",
        "ip": "10.0.0.0"
      },
      "source": {
        "port": "123",
        "ip": "10.0.0.0",
        "mac": "00:00:00:00:00:00"
      },
      "network": {
        "chain": "input",
        "protocol": "UDP",
        "bytes": "123",
        "in_interface": "interface_name_in",
        "action": "DROP",
        "connection_state": "new",
        "out_interface": "interface_name_out"
      }
    },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment