FrankSpierings/_etc_filebeat_filebeat.yml

## _etc_filebeat_filebeat.yml
### Add this specific input

- input_type: log
  paths:
    - /var/log/ufw.log
  tags: ["iptables"]

## _etc_logstash_conf.d_40-ufw.conf
filter {
  if ("iptables" in [tags]) {
    grok {
	break_on_match => true
	patterns_dir => "/etc/logstash/patterns/ufw"
        match => { "message" => "%{IPTABLES}" }
         }
  }
}

## _etc_logstash_patterns_ufw
IN IN=(?<nf_in>.*?)
OUT OUT=(?<nf_out>.*?)
SRC SRC=(?<nf_src>.*?)
DST DST=(?<nf_dst>.*?)
SPT SPT=(?<nf_spt>.*?)
DPT DPT=(?<nf_dpt>.*?)
MAC MAC=(?<nf_mac>.*?)
PROTO PROTO=(?<nf_proto>TCP|UDP|ICMP|[0-9]+)

HEADER (%{SYSLOGTIMESTAMP:nf_timestamp})\s*(%{HOSTNAME:nf_host})\skernel: \[%{INT}\.%{INT}\]
NFCOMMENT (?<nf_comment>.*)

IPTABLES_TCPUDP %{HEADER} %{NFCOMMENT}%{IN}\s%{OUT}\s%{SRC}\s%{DST}\s.*?%{PROTO}\s.*?%{SPT}.?%{DPT}\s.*?$
IPTABLES_OTHER %{HEADER} %{NFCOMMENT}%{IN}\s%{OUT}\s.*?%{SRC}%{DST}\s.*?%{PROTO}\s
IPTABLES (?:%{IPTABLES_TCPUDP}|%{IPTABLES_OTHER})
	### Add this specific input

	- input_type: log
	paths:
	- /var/log/ufw.log
	tags: ["iptables"]
	filter {
	if ("iptables" in [tags]) {
	grok {
	break_on_match => true
	patterns_dir => "/etc/logstash/patterns/ufw"
	match => { "message" => "%{IPTABLES}" }
	}
	}
	}
	IN IN=(?<nf_in>.*?)
	OUT OUT=(?<nf_out>.*?)
	SRC SRC=(?<nf_src>.*?)
	DST DST=(?<nf_dst>.*?)
	SPT SPT=(?<nf_spt>.*?)
	DPT DPT=(?<nf_dpt>.*?)
	MAC MAC=(?<nf_mac>.*?)
	PROTO PROTO=(?<nf_proto>TCP\|UDP\|ICMP\|[0-9]+)

	HEADER (%{SYSLOGTIMESTAMP:nf_timestamp})\s*(%{HOSTNAME:nf_host})\skernel: \[%{INT}\.%{INT}\]
	NFCOMMENT (?<nf_comment>.*)

	IPTABLES_TCPUDP %{HEADER} %{NFCOMMENT}%{IN}\s%{OUT}\s%{SRC}\s%{DST}\s.?%{PROTO}\s.?%{SPT}.?%{DPT}\s.*?$
	IPTABLES_OTHER %{HEADER} %{NFCOMMENT}%{IN}\s%{OUT}\s.?%{SRC}%{DST}\s.?%{PROTO}\s
	IPTABLES (?:%{IPTABLES_TCPUDP}\|%{IPTABLES_OTHER})