Created
May 16, 2019 09:21
-
-
Save akqopensystems/5fa1caff99135e3b279968fddbc9f67a to your computer and use it in GitHub Desktop.
Pipeline definition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# syslog | |
input { | |
udp { | |
id => "udp_10000" | |
port => 10000 | |
type => syslog_udp_10000 | |
} | |
tcp { | |
id => "tcp_10000" | |
port => 10000 | |
type => syslog_udp_10000 | |
} | |
} | |
filter { | |
if [type] == "syslog_udp_10000" { | |
# unwanted stuff out | |
if "mx01" in [message] { | |
drop{ } | |
} | |
else if "gateway-1" in [message] { | |
drop{ } | |
} | |
else if "gateway-2" in [message] { | |
drop{ } | |
} | |
else if "InterMapper" in [message] { | |
drop{ } | |
} | |
# end unwanted stuff | |
# Header Filtern und log_message erzeugen: | |
if [message] { | |
grok { | |
match => [ | |
# VDX | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: \[log\@%{INT} value=\"AUDIT\"\]\[timestamp\@%{INT} value=\"%{DATA:log_timestamp}\"\]\[tz\@%{INT} value=\"%{DATA:log_timezone}\"\]\[msgid\@%{INT} value=\"%{DATA:log_facility}-%{DATA:log_mnemonic}\"\]\[severity\@%{INT} value=\"%{DATA:log_severity}\"( desc=\"%{DATA:severity_desc}\")?\]\[class\@%{INT} value=\"%{DATA:log_class}\"\]\[user\@%{INT} value=\"%{DATA:username}\"( desc=\"%{DATA:user_desc}\")?\]\[role\@%{INT} value=\"%{DATA:role}\"( desc=\"%{DATA:role_desc}\")?\]\[ip\@%{INT} value=\"%{DATA:src_ip}\"( desc=\"%{DATA:ip_desc}\")?\]\[interface\@%{INT} value=\"%{DATA:connection}\"( desc=\"%{DATA:desc}\")?\]\[application\@%{INT} value=\"%{DATA:application}\"( desc=\"%{DATA:application_desc}\")?\]\[swname\@%{INT} value=\"%{DATA:swname}\"( desc=\"%{DATA:swname_desc}\")?\](\[arg0\@%{INT} value=\"%{DATA:arg0_val}\"( desc=\"%{DATA:arg0_desc}\")?\])?(\[arg1\@%{INT} value=\"%{DATA:arg1_val}\"( desc=\"%{DATA:arg1_desc}\")?\])?(\[arg2\@%{INT} value=\"%{DATA:arg2_val}\"( desc=\"%{DATA:arg2_desc}\")?\])?(\[arg3\@%{INT} value=\"%{DATA:arg3_val}\"( desc=\"%{DATA:arg3_desc}\")?\])?(\[arg4\@%{INT} value=\"%{DATA:arg4_val}\"( desc=\"%{DATA:arg4_desc}\")?\])?(\[arg5\@%{INT} value=\"%{DATA:arg5_val}\"( desc=\"%{DATA:arg5_desc}\")?\])? %{GREEDYDATA:log_message}", | |
# VDX | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: \[log\@%{INT} value=\"RASLOG\"]\[timestamp\@%{INT} value=\"%{DATA:log_timestamp}\"\]\[msgid\@%{INT} value=\"%{DATA:log_facility}-%{DATA:log_mnemonic}\"\]\[seqnum\@%{INT} value=\"%{DATA:seqnum}\"( desc=\"%{DATA:seqnum_desc}\")?\]\[attr\@%{INT} value=\"%{DATA:wwn}\"( desc=\"%{DATA:wwn_desc}\")?\]\[severity\@%{INT} value=\"%{DATA:log_severity}\"( desc=\"%{DATA:severity_desc}\")?\]\[swname\@%{INT} value=\"%{DATA:swname}\"( desc=\"%{DATA:swname_desc}\")?\](\[arg0\@%{INT} value=\"%{DATA:arg0_val}\"( desc=\"%{DATA:arg0_desc}\")?\])?(\[arg1\@%{INT} value=\"%{DATA:arg1_val}\"( desc=\"%{DATA:arg1_desc}\")?\])?(\[arg2\@%{INT} value=\"%{DATA:arg2_val}\"( desc=\"%{DATA:arg2_desc}\")?\])?(\[arg3\@%{INT} value=\"%{DATA:arg3_val}\"( desc=\"%{DATA:arg3_desc}\")?\])?(\[arg4\@%{INT} value=\"%{DATA:arg4_val}\"( desc=\"%{DATA:arg4_desc}\")?\])?(\[arg5\@%{INT} value=\"%{DATA:arg5_val}\"( desc=\"%{DATA:arg5_desc}\")?\])? %{GREEDYDATA:log_message}", | |
# N7K | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{HOSTNAME:log_hostname}: )%{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}", | |
# N7K | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{HOSTNAME:log_hostname}: )%{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +last message repeated %{INT:message_repeat} time", | |
# cisco | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}", | |
# ASA | |
#"message", "<%{INT:syslog_pri}>%{DATA:syslog_month} +%{INT:syslog_day} %{TIME:syslog_time} %{IPORHOST:sysloghost} : %%{WORD:ASA}-%{WORD:log_severity}-%{WORD:ASA-MessageID}: %{GREEDYDATA:log_message}", | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} : %%{WORD:ASA}-%{WORD:log_severity}-%{WORD:ASA-MessageID}: %{GREEDYDATA:log_message}", | |
# cisco | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3}): %%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}", | |
# cisco | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(%{INT:seq_num2}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}", | |
# cisco | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(%{INT:seq_num2}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: %{GREEDYDATA:cisco_daemon} \(%{DATA:cisco_daemon_level}\): +%{GREEDYDATA:log_message}", | |
# cisco | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%{GREEDYDATA:log_message}", | |
# WLC | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{HOSTNAME:log_hostname}: \*%{DATA:wlc_message_id}: %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3}): %%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}", | |
# HP Switche | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{INT:seq_num} %{DATA:daemon}: +%{GREEDYDATA:log_message}", | |
# loadbalancer | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}\[%{INT:session_id}\]: \[%{DATA:daemon_log_level}\] %{GREEDYDATA:log_message}", | |
# loadbalancer | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}\[%{INT:session_id}\]: \(%{DATA:lb_user}\) %{GREEDYDATA:log_message}", | |
# loadbalancer | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}: \[%{DATA:process}\] %{GREEDYDATA:log_message}", | |
# loadbalancer | |
"message", "<%{INT:syslog_pri}>%{DATA:month} +%{DATA:day} +%{DATA:time} %{IPORHOST:sysloghost_ip} %{DATA:time1} %{DATA:timezone} %{IPORHOST:sysloghost} %{DATA:daemon} : %{DATA:daemon2} : +%{GREEDYDATA:log_message}", | |
# ICX filter sind fast ein catchall filter | |
# ICX 1 | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time} %{HOSTNAME:log_hostname} %{DATA:daemon}: %{GREEDYDATA:log_message}", | |
# Arista | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}", | |
# ICX 2 | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: %{GREEDYDATA:log_message}", | |
# Catchall | |
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{GREEDYDATA:log_message}" | |
] | |
} # grok | |
} # if [message] | |
# | |
# Wenn das Feld sysloghost <ip-redacted> ist, dann ist das die xxx von xxx | |
if [sysloghost] =="xx.xx.xx.xx" { | |
mutate { | |
add_field => { "log_hostname" => "xxx" } | |
} | |
} # END Wenn das Feld sysloghost xx.xx.xx.xx ist, dann ist das die xxx von xxx | |
# | |
# Wenn das Feld log_hostname keine IP ist und das Feld log_hostname existiert dann entsprechend den sysloghost austauschen: | |
if [log_hostname] !~ /^[0-9]{4}/ and [log_hostname] { | |
mutate { | |
replace => [ "sysloghost", "%{log_hostname}" ] | |
} | |
} # end sysloghost ersetzen | |
# | |
# Customer extrahieren | |
if [sysloghost] { | |
grok { | |
match => [ | |
"sysloghost", "(?<customer>^.{3})" | |
] | |
} | |
# hier jetzt das kundenkuerzel auf xxx aendern wenn es ein internes system ist | |
translate { | |
dictionary => [ | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx", | |
"xxx", "xxx" | |
] | |
field => "customer" | |
destination => "customer" | |
override => true | |
} # end custormer translate | |
mutate { | |
lowercase => [ "customer" ] | |
} | |
} # end customer extrahieren | |
# Severity erzeugen aus | |
if [syslog_pri] { | |
translate { | |
dictionary => [ | |
"0", "Emergency", | |
"8", "Emergency", | |
"16", "Emergency", | |
"24", "Emergency", | |
"32", "Emergency", | |
"40", "Emergency", | |
"48", "Emergency", | |
"56", "Emergency", | |
"64", "Emergency", | |
"72", "Emergency", | |
"80", "Emergency", | |
"88", "Emergency", | |
"96", "Emergency", | |
"104", "Emergency", | |
"112", "Emergency", | |
"120", "Emergency", | |
"128", "Emergency", | |
"136", "Emergency", | |
"144", "Emergency", | |
"152", "Emergency", | |
"160", "Emergency", | |
"168", "Emergency", | |
"176", "Emergency", | |
"184", "Emergency", | |
"1", "Alert", | |
"9", "Alert", | |
"17", "Alert", | |
"25", "Alert", | |
"33", "Alert", | |
"41", "Alert", | |
"49", "Alert", | |
"57", "Alert", | |
"65", "Alert", | |
"73", "Alert", | |
"81", "Alert", | |
"89", "Alert", | |
"97", "Alert", | |
"105", "Alert", | |
"113", "Alert", | |
"121", "Alert", | |
"129", "Alert", | |
"137", "Alert", | |
"145", "Alert", | |
"153", "Alert", | |
"161", "Alert", | |
"169", "Alert", | |
"177", "Alert", | |
"185", "Alert", | |
"2", "Critical", | |
"10", "Critical", | |
"18", "Critical", | |
"26", "Critical", | |
"34", "Critical", | |
"42", "Critical", | |
"50", "Critical", | |
"58", "Critical", | |
"66", "Critical", | |
"74", "Critical", | |
"82", "Critical", | |
"90", "Critical", | |
"98", "Critical", | |
"106", "Critical", | |
"114", "Critical", | |
"122", "Critical", | |
"130", "Critical", | |
"138", "Critical", | |
"146", "Critical", | |
"154", "Critical", | |
"162", "Critical", | |
"170", "Critical", | |
"178", "Critical", | |
"186", "Critical", | |
"3", "Error", | |
"11", "Error", | |
"19", "Error", | |
"27", "Error", | |
"35", "Error", | |
"43", "Error", | |
"51", "Error", | |
"59", "Error", | |
"67", "Error", | |
"75", "Error", | |
"83", "Error", | |
"91", "Error", | |
"99", "Error", | |
"107", "Error", | |
"115", "Error", | |
"123", "Error", | |
"131", "Error", | |
"139", "Error", | |
"147", "Error", | |
"155", "Error", | |
"163", "Error", | |
"171", "Error", | |
"179", "Error", | |
"187", "Error", | |
"4", "Warning", | |
"12", "Warning", | |
"20", "Warning", | |
"28", "Warning", | |
"36", "Warning", | |
"44", "Warning", | |
"52", "Warning", | |
"60", "Warning", | |
"68", "Warning", | |
"76", "Warning", | |
"84", "Warning", | |
"92", "Warning", | |
"100", "Warning", | |
"108", "Warning", | |
"116", "Warning", | |
"124", "Warning", | |
"132", "Warning", | |
"140", "Warning", | |
"148", "Warning", | |
"156", "Warning", | |
"164", "Warning", | |
"172", "Warning", | |
"180", "Warning", | |
"188", "Warning", | |
"5", "Notice", | |
"13", "Notice", | |
"21", "Notice", | |
"29", "Notice", | |
"37", "Notice", | |
"45", "Notice", | |
"53", "Notice", | |
"61", "Notice", | |
"69", "Notice", | |
"77", "Notice", | |
"85", "Notice", | |
"93", "Notice", | |
"101", "Notice", | |
"109", "Notice", | |
"117", "Notice", | |
"125", "Notice", | |
"133", "Notice", | |
"141", "Notice", | |
"149", "Notice", | |
"157", "Notice", | |
"165", "Notice", | |
"173", "Notice", | |
"181", "Notice", | |
"189", "Notice", | |
"6", "Info", | |
"14", "Info", | |
"22", "Info", | |
"30", "Info", | |
"38", "Info", | |
"46", "Info", | |
"54", "Info", | |
"62", "Info", | |
"70", "Info", | |
"78", "Info", | |
"86", "Info", | |
"94", "Info", | |
"102", "Info", | |
"110", "Info", | |
"118", "Info", | |
"126", "Info", | |
"134", "Info", | |
"142", "Info", | |
"150", "Info", | |
"158", "Info", | |
"166", "Info", | |
"174", "Info", | |
"182", "Info", | |
"190", "Info", | |
"7", "Debug", | |
"15", "Debug", | |
"23", "Debug", | |
"31", "Debug", | |
"39", "Debug", | |
"47", "Debug", | |
"55", "Debug", | |
"63", "Debug", | |
"71", "Debug", | |
"79", "Debug", | |
"87", "Debug", | |
"95", "Debug", | |
"103", "Debug", | |
"111", "Debug", | |
"119", "Debug", | |
"127", "Debug", | |
"135", "Debug", | |
"143", "Debug", | |
"151", "Debug", | |
"159", "Debug", | |
"167", "Debug", | |
"175", "Debug", | |
"183", "Debug", | |
"191", "Debug" | |
] | |
field => "syslog_pri" | |
destination => "severity" | |
override => true | |
} | |
} # end severity aendern | |
# ASA MessageID Logclass ermitteln (es sind die ersten drei ziffern der message ID) | |
# https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html | |
if [ASA-MessageID] { | |
grok { | |
match => [ | |
"ASA-MessageID", "(?<ASA-MessageID-Class>^.{3})" | |
] | |
} | |
# hier jetzt das Cisco Logfacility Feld befuellen | |
translate { | |
dictionary => [ | |
"109", "AUTH", | |
"113", "AUTH", | |
"415", "APPFW", | |
"110", "BRIDGE", | |
"220", "BRIDGE", | |
"717", "CA", | |
"723", "CITRIX", | |
"747", "CLUSTER", | |
"323", "CARDM", | |
"111", "CONFIG", | |
"112", "CONFIG", | |
"208", "CONFIG", | |
"308", "CONFIG", | |
"724", "CSD", | |
"776", "CTS", | |
"734", "DAP", | |
"333", "EAP", | |
"334", "EAPOUDP", | |
"336", "EIGRP", | |
"719", "EMAIL", | |
"735", "ENVM", | |
"101", "HA", | |
"102", "HA", | |
"103", "HA", | |
"104", "HA", | |
"105", "HA", | |
"210", "HA", | |
"311", "HA", | |
"709", "HA", | |
"746", "IDFW", | |
"400", "IDS", | |
"733", "IDS", | |
"750", "IKEV2", | |
"751", "IKEV2", | |
"752", "IKEV2", | |
"209", "IP", | |
"215", "IP", | |
"313", "IP", | |
"317", "IP", | |
"408", "IP", | |
"735", "IPAA", | |
"400", "IPS", | |
"401", "IPS", | |
"420", "IPS", | |
"325", "IPV6", | |
"338", "BWGLISTS", | |
"444", "LIC", | |
"802", "MDM-PROXY", | |
"731", "NAC", | |
"732", "NAC", | |
"731", "NACPOLICY", | |
"732", "NACSETTINGS", | |
"319", "NP", | |
"725", "NPSSL", | |
"318", "OSPF", | |
"409", "OSPF", | |
"503", "OSPF", | |
"613", "OSPF", | |
"742", "PWENC", | |
"337", "PHONEPROXY", | |
"107", "RIP", | |
"312", "RIP", | |
"321", "RM", | |
"120", "SCH", | |
"106", "SESSION", | |
"108", "SESSION", | |
"201", "SESSION", | |
"202", "SESSION", | |
"204", "SESSION", | |
"302", "SESSION", | |
"303", "SESSION", | |
"304", "SESSION", | |
"305", "SESSION", | |
"314", "SESSION", | |
"405", "SESSION", | |
"406", "SESSION", | |
"407", "SESSION", | |
"500", "SESSION", | |
"502", "SESSION", | |
"607", "SESSION", | |
"608", "SESSION", | |
"609", "SESSION", | |
"616", "SESSION", | |
"620", "SESSION", | |
"703", "SESSION", | |
"710", "SESSION", | |
"212", "SNMP", | |
"775", "SCANSAFE", | |
"725", "SSL", | |
"722", "SVC", | |
"199", "SYS", | |
"211", "SYS", | |
"214", "SYS", | |
"216", "SYS", | |
"306", "SYS", | |
"307", "SYS", | |
"315", "SYS", | |
"414", "SYS", | |
"604", "SYS", | |
"605", "SYS", | |
"606", "SYS", | |
"610", "SYS", | |
"612", "SYS", | |
"614", "SYS", | |
"615", "SYS", | |
"701", "SYS", | |
"711", "SYS", | |
"741", "SYS", | |
"733", "THREAD-DEC", | |
"780", "TRE", | |
"339", "UCIME", | |
"779", "TAG-SWITCHING", | |
"730", "VM", | |
"213", "VPDN", | |
"403", "VPDN", | |
"603", "VPDN", | |
"316", "VPN", | |
"320", "VPN", | |
"402", "VPN", | |
"404", "VPN", | |
"501", "VPN", | |
"602", "VPN", | |
"702", "VPN", | |
"713", "VPN", | |
"714", "VPN", | |
"715", "VPN", | |
"611", "VPNC", | |
"720", "VPNFO", | |
"718", "VPNLB", | |
"778", "VXLAN", | |
"721", "WEBFO", | |
"716", "WEBVPN", | |
"305", "NATPAT", | |
"419", "DUPSYN", | |
"737", "IPAA", | |
"411", "LINEPROTO" | |
] | |
field => "ASA-MessageID-Class" | |
destination => "log_facility" | |
} # END hier jetzt das Cisco Logfacility Feld befuellen | |
# hier jetzt das Cisco Log_mnemonic Feld befuellen | |
translate { | |
dictionary => [ | |
"106100", "IPACCESSLOGPERMIT", | |
"106023", "IPACCESSLOGDENY", | |
"111008", "COMMAND_CONF", | |
"111009", "COMMAND_SHOW", | |
"111010", "APPLICATION_EXECUTION", | |
"113003", "AAA_GROUP_POLICY_SET", | |
"113004", "AAA_ACCOUNTING", | |
"113005", "AAA_AUTH_REJECTED", | |
"113008", "AAA_TRANSACTION_SUCCESS", | |
"113009", "AAA_GROUP_POLICY", | |
"113019", "SESSION_DISCONNECTED", | |
"113022", "SERVER_ERROR", | |
"113011", "AAA_GROUP_POLICY_SELECT", | |
"113012", "AAA_AUTH_SUCCESS_LOCAL_DB", | |
"113039", "SESSION_STARTED", | |
"201013", "CLIENT_CONNECTION_LIMIT", | |
"210007", "LU_XLATE_ALLOCATE", | |
"302010", "CONNECTIONS_USED", | |
"305006", "NAT_CREATION_FAIL", | |
"313001", "ICMP_DENY", | |
"313005", "ICMP_NO_MATCHING_CONNECTION", | |
"313008", "ICPMPV6_DENY", | |
"402114", "IPSEC_SA_TIMING", | |
"402116", "IPSEC_WRONG_TRAFFIC", | |
"402117", "IPSEC_UNENCAPSULATED_PACKET", | |
"402119", "IPSEC_WRONG_SEQUENCE_NUM", | |
"402120", "IPSEC_FAILED_AUTHENTICATION", | |
"405001", "ARP_COLLISION", | |
"419002", "DUPLICATE_TCP_SYN", | |
"602305", "IPSEC_SA_CREATION", | |
"611101", "AAA_AUTH_ACCEPTED", | |
"611102", "AAA_AUTH_REJECTED", | |
"710003", "IPACCESSLOGDENY", | |
"711004", "PROCESS_HOGGING", | |
"713048", "IPSEC_PAYLOAD_ERROR", | |
"713061", "IPSEC_TUNNEL_REJECT", | |
"713122", "IKE_KEEPALIVE_ERROR", | |
"713123", "IKE_DPD_ERROR", | |
"713206", "IPSEC_TUNNEL_CONFLICT", | |
"713227", "IPSEC_SA_NO_SECOND_NEGOTIATION", | |
"713228", "VPN_IP_ASSIGNMENT", | |
"713261", "IKE_SA_NOIPV6_ON_INTERFACE", | |
"713901", "ISAKMP_VPNC_ANTI-DDOS", | |
"713902", "ISAKMP_ERROR", | |
"713903", "IKE_ERROR", | |
"716002", "WEBVPN_SESSION_TERMINATED", | |
"716039", "WEBVPN_SESSION_REJECTED", | |
"716058", "WEBVPN_SESSION_LOST_CONNECTION", | |
"716059", "WEBVPN_SESSION_RESUME", | |
"722010", "SVC_MESSAGE", | |
"722011", "SVC_MESSAGE", | |
"722012", "SVC_MESSAGE", | |
"722013", "SVC_MESSAGE", | |
"722014", "SVC_MESSAGE", | |
"722030", "SVC_SESSION_STATS", | |
"722031", "SVC_SESSION_TERMINATED", | |
"722022", "SVC_COMPRESSION", | |
"722023", "SVC_SESSION_TERMINATED_COMPRESSION", | |
"722028", "SVC_STALE_CONNECTION_CLOSED", | |
"722029", "SVC_SESSION_TERMINATED_STATS", | |
"722032", "SVC_SESSION_REPLACEING", | |
"722033", "SVC_CONNECTION_ESTABLISHED", | |
"722034", "SVC_RE-CONNECTION", | |
"722037", "SVC_CLOSING_REASON", | |
"722041", "SVC_TUN_NO_IPV6", | |
"722051", "SVC_IP_ASSIGNMENT", | |
"722055", "SVC_CLIENT_TYPE", | |
"722056", "SVC_CLIENT_REJECT", | |
"725001", "HANDSHAKE_START", | |
"725002", "HANDSHAKE_COMPLETED", | |
"725003", "SESSION_RESUME", | |
"725005", "CERTIFICATE_REQUEST", | |
"725007", "SSL_SESSION_TERMINATED", | |
"734001", "RECORD_SELECT", | |
"737032", "STANDBY_ADDRESS_REMOVE_ERR", | |
"750003", "SA_NEGOTIATION_ERROR", | |
"750012", "ENCRYPTION_TOO_WEAK", | |
"751014", "PAYLOAD_REQUEST_ERROR", | |
"752010", "NO_PROPOSAL_SPECIFIED", | |
"752012", "CRYPTOMAP_ERROR", | |
"752015", "L2L_SA_ERROR" | |
] | |
field => "ASA-MessageID" | |
destination => "log_mnemonic" | |
} # END hier jetzt das Cisco Log_mnemonic Feld befuellen | |
} # END ASA MessageID Logclass ermitteln (es sind die ersten drei ziffern der message ID) | |
# | |
# log_message filtern und markieren | |
if [log_message] { | |
grok { | |
match => [ | |
# security audit user logins | |
# ICX logins | |
"log_message", "SSH %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} from src MAC %{MAC:src_mac} from %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}", | |
"log_message", "SSH %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} from src MAC %{MAC:src_mac} to %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}", | |
"log_message", "%{GREEDYDATA:session_reason}. %{DATA:session_status}, intruder IP: +%{IP:src_ip}", | |
# MLX Logins | |
"log_message", "ssh %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} to %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}", | |
"log_message", "SSH %{DATA:session_mode} by user %{DATA:username} from src %{DATA} %{IP:src_ip} %{DATA:session_status}, %{GREEDYDATA}", | |
# Cisco logins | |
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{IP:src_ip}\] \[localport: %{INT}\] at %{GREEDYDATA}", | |
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{DATA}\] \[localport: %{INT}\] at %{GREEDYDATA}", | |
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{IP:src_ip}\] \[localport: %{INT}\] \[Reason: %{GREEDYDATA:session_reason}]\ at %{GREEDYDATA}", | |
"log_message", "%{DATA:ssh}%{INT:ssh_ver} Session from %{IP:src_ip} \(%{GREEDYDATA}\) for user \'%{DATA:username}\' using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}", | |
"log_message", "%{DATA:ssh}%{INT:ssh_ver} Session request from %{IP:src_ip} \(%{GREEDYDATA}\) using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}", | |
"log_message", "User %{DATA:username} has %{DATA:session_status} tty session %{INT}\(%{IP:src_ip}\)", | |
"log_message", "User \'%{DATA:username}\' authentication for %{DATA:ssh}%{INT:ssh_ver} Session from %{IP:src_ip} \(%{GREEDYDATA}\) using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}", | |
"log_message", "%{DATA:session_status} from console by %{DATA:username} on vty%{INT} \(%{IP:src_ip}\)", | |
"log_message", "%{DATA:session_status} from vty by %{DATA:username} on %{IP:src_ip}\@%{GREEDYDATA}", | |
# ASA logins | |
"log_message", "AAA user authentication %{DATA:session_status} : server = %{IP} : user = %{GREEDYDATA:username}", | |
"log_message", "User authentication %{DATA:session_status}: IP address: %{IP:src_ip}, Uname: %{GREEDYDATA:username}", | |
"log_message", "User authentication %{DATA:session_status}: IP address: %{IPORHOST:src_ip}, Uname: %{GREEDYDATA:username}", | |
# VDX logins | |
"log_message", "BOMEvent: %{DATA:session}, Status: %{DATA:session_status}, Info: Successful login attempt via %{DATA}, IP Addr: %{IP}.", | |
"log_message", "BOMEvent: %{DATA:session}, Status: %{DATA:session_status}, Info: Failed login attempt through %{DATA}, IP Addr: %{IP}.", | |
"log_message", "BOMLogin information: %{DATA:session} %{DATA:session_status} via TELNET/SSH/RSH. IP Addr: %{IPORHOST:hostname}.", | |
"log_message", "BOMTACACS\+ server %{IPORHOST:AAA-Server} %{DATA:session_status} user account \'%{DATA:username}\'.", | |
#N7K logins | |
"log_message", "%{DATA:session_status} user added with username %{DATA:username} - %{GREEDYDATA:daemon}", | |
"log_message", "Login %{DATA:session_status} for user %{DATA:username} - sshd", | |
"log_message", "user (delete) %{DATA:session_status} for %{DATA}:%{DATA:process}: user %{DATA:username} is currently used by process %{INT:process_id}", | |
"log_message", "%{DATA:username} : TTY=%{GREEDYDATA:tty} ; PWD=%{GREEDYDATA:pwd} ; USER=%{GREEDYDATA:systemuser} ; COMMAND=%{GREEDYDATA:command} /proc/%{INT:proc_id}/environ - %{GREEDYDATA}", | |
"log_message", "pam_warn\(%{GREEDYDATA:pam_warn}\): function=\[%{GREEDYDATA:function}\] service=\[%{GREEDYDATA:service}\] terminal=\[%{GREEDYDATA:tty}\] user=\[%{DATA:systemuser}\] ruser=\[%{DATA:username}\] rhost=\[%{GREEDYDATA:rhost}\] +- %{GREEDYDATA}", | |
# Arista Logins | |
# session_stop | |
"log_message", "%{IPORHOST:hostname} %{DATA:username} %{DATA:session_mode} %{IPORHOST:src_ip} %{DATA:session_status} task_id=%{INT:task_id} start_time=%{INT:start_time} timezone=%{DATA} service=%{DATA:service} elapsed_time=%{GREEDYDATA:elapsed_time}", | |
# session_start | |
"log_message", "%{IPORHOST:hostname} %{DATA:username} %{DATA:session_mode} %{IPORHOST:src_ip} %{DATA:session_status} task_id=%{INT:task_id} start_time=%{INT:start_time} timezone=%{DATA} service=%{GREEDYDATA:service}", | |
# VDX Logs | |
"log_message", "BOMENS %{GREEDYDATA}", | |
"log_message", "BOMEvent: %{GREEDYDATA}", | |
# Cisco Logmessages | |
# Cisco | |
"log_message", "%{DATA:error_message}: message repeated %{INT:message_repeat_count} (times|time) in last %{INT:message_repeat_intervall} (min|sec)", | |
# Cisco | |
"log_message", "Mac %{MAC:mac} in vlan %{INT:vlan_id} has moved from %{DATA:src_interface} to %{GREEDYDATA:dst_interface}", | |
# Cisco AUTHMGT | |
"log_message", "VLAN %{INT:vlan_id} assigned to Interface %{DATA:interface} AuditSessionID %{GREEDYDATA:session_id}", | |
# Cisco | |
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip}\(%{INT:src_port}\) -> %{IP:dst_ip}\(%{INT:dst_port}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip} -> %{IP:dst_ip} \(%{INT}\/%{INT}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{INT} %{IP:src_ip} -> %{IP:dst_ip}, %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{IP:src_ip} %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
"log_message", "%{DATA:spa}%{INT:spa_num}: %{DATA:manager}: +list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip}\(%{INT:src_port}\) %{DATA:interface}-> %{IP:dst_ip}\(%{INT:dst_port}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
# Cisco | |
"log_message", "Authorization %{DATA:8021x_session_status} for client \(%{GREEDYDATA:client}\) on Interface %{DATA:src_interface} AuditSessionID %{INT:session_id}", | |
# Cisco NTP | |
"log_message", "%{DATA:daemon} Receive dropping message: %{GREEDYDATA:error_message}. Drop (C|c)ount:[' ']{0,2}%{INT:drop_count} +- ntpd", | |
"log_message", "ntp_receive: dropping message: restricted..", | |
# | |
#L2FM | |
"log_message", "%{MAC:mac} in vlan %{DATA:vlan_id} has moved from %{DATA:src_interface} to %{GREEDYDATA:dst_interface}", | |
# Interface SECURITY_VIOLATION | |
"log_message", "%{GREEDYDATA:security_audit_message} on the interface %{GREEDYDATA:interface}, new MAC address \(%{MAC:mac}\) is seen.AuditSessionID %{GREEDYDATA:security_audit}", | |
# | |
#URIB / U6RIB Memory | |
"log_message", "(urib|u6rib) \[%{INT}\] \(%{DATA}\) +%{GREEDYDATA:error_message}", | |
# | |
#PORT_SECURITY | |
"log_message", "%{GREEDYDATA:error_message}, caused by MAC address %{MAC:mac} on port %{GREEDYDATA:interface}", | |
# | |
#DOT1X | |
"log_message", "%{GREEDYDATA:error_message} for client \(%{DATA:mac}\) on Interface %{DATA:interface} AuditSessionID %{GREEDYDATA:session_id}", | |
# | |
#HSRP_ENGINE | |
"log_message", "Interface %{DATA:interface} IPV%{INT:ipversion} Grp %{DATA:hsrp_grp} %{GREEDYDATA:log_message} reason %{GREEDYDATA:error_message}", | |
#CDP Neighbor | |
"log_message", "Device %{DATA:cdp_hostname}\(%{DATA:cdp_host_serialnum}\) discovered of type %{DATA:cdp_hosttype} with port %{DATA:src_interface} on incoming port %{DATA:dst_interface} with ip addr %{IP:src_ip} and mgmt ip %{IP:mgmt_ip}, %{IP:mgmt_ipv6}%{GREEDYDATA}", | |
#SW_MATM-4-MACFLAP_NOTIF | |
"log_message", "Host %{MAC:mac} in vlan %{INT:vlan_id} is %{DATA:error_message} between port %{DATA:interface} and port %{DATA:interface2}", | |
#TUNNEL-5-IF_STATE_UPDATE | |
"log_message", "Interface %{DATA:interface} is %{DATA:interface_operstate} reason %{GREEDYDATA:error_message}", | |
#TUNNEL-4-TM_MTU_PROGRAMMING | |
"log_message", "Programming %{DATA:interface} mtu %{INT:mtu}%{GREEDYDATA}", | |
#TUNNEL-5-IF_DELETED | |
"log_message", "Interface %{DATA:interface} is %{GREEDYDATA:interface_operstate}", | |
#Interface | |
#LINEPROTO-5-UPDOWN | |
"log_message", "Line protocol on Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}", | |
# LINK-3-UPDOWN | |
"log_message", "Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}", | |
# Interface err disable | |
"log_message", "Attempting to recover from %{DATA:security_audit} %{DATA:error_message} state on %{GREEDYDATA:interface}", | |
# ARP-4-OWN_SRCMAC | |
"log_message", "arp \[%{INT:seq_num}\] Received packet with a local source MAC address \(%{MAC:mac}\) from %{IP:src_ip} on Vlan%{INT:vlan_id}", | |
# | |
# ARP_2_DUP_SRC_IP | |
"log_message", "arp \[%{INT:seq_num}\] +Source address of packet received from %{MAC:mac} on Vlan%{INT:vlan_id}\(%{DATA:interface}\) is duplicate of local, %{IP:src_ip}", | |
# | |
# ARP-3-DUP_VADDR_SRC_IP | |
"log_message", "arp \[%{INT:seq_num}\] +Source address of packet received from %{MAC:src_mac} on Vlan%{INT:vlan_id}\(%{DATA:interface}\) is duplicate of local virtual ip, %{IP:src_ip}", | |
# | |
# ICMPV6-3-ND_LOG | |
"log_message", "icmpv6 \[%{INT:seq_num}\] Duplicate address %{IP:src_ip} detected on Vlan%{INT:vlan_id}", | |
# | |
# DHCP_SNOOPING_DENY | |
"log_message", "%{INT:count} %{GREEDYDATA:error_message} on %{DATA:interface}, vlan %{INT:vlan_id}.\(\[%{MAC:src_mac}\/%{IP:src_ip}\/%{MAC:dst_mac}\/%{IP:dst_ip}\/%{GREEDYDATA}", | |
# DHCP error | |
"log_message", "%{DATA} %{DATA:error_status} message because the %{GREEDYDATA:error_message}, message type: %{DATA:message_type}, chaddr: %{MAC:cha_mac}, MAC sa: %{MAC:sa_mac}", | |
# Cisco | |
"log_message", "New user added with username %{DATA:username} - %{GREEDYDATA:daemon}", | |
# Cisco Duplicate IP | |
"log_message", "Duplicate address %{IP:src_ip} on %{DATA:interface}, sourced by %{MAC:src_mac}", | |
# | |
"log_message", "%{DATA:username}#%{INT}# : TTY=%{GREEDYDATA:TTY} ; PWD=%{GREEDYDATA:PWD} ; USER=%{DATA} ; COMMAND=%{GREEDYDATA} \/proc\/%{INT}\/environ - %{GREEDYDATA:sudo}", | |
# Logging enable / disable | |
"log_message", "%{DATA:logging} to host %{IPORHOST:hostname} (p|P)ort %{INT:dst_port} %{GREEDYDATA:loggig_status}", | |
# ACL Logging rate Limit | |
"log_message", "access-list logging rate-limited or missed %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}", | |
# ACL log | |
"log_message", "Src IP: %{IP:src_ip}, Dst IP: %{IP:dst_ip}, Src Port: %{INT:src_port}, Dst Port: %{INT:dst_port}, Src Intf: %{DATA:src_interface}, Protocol: \"%{DATA:ip_protcol}\"\(%{DATA:ip_protcol_num}\), Hit-count = %{INT:hitcount}[' ']{0,2}", | |
# WLC | |
"log_message", "\[%{DATA:wlc_log_id}\]%{DATA:wlc_program}:%{INT:wlc_program_num} +%{GREEDYDATA}", | |
"log_message", "%{DATA:wlc_program}:%{INT:wlc_program_num} (MAX|AP|Client) +%{GREEDYDATA}", | |
# ASA messages | |
"log_message", "User '%{DATA:username}' executed cmd: %{DATA:command}[' ']{0,2}%{GREEDYDATA:log_message}", | |
# 111008 | |
"log_message", "User '%{DATA:username}' executed the '%{GREEDYDATA:command}'[' ']{0,2}%{GREEDYDATA:log_message}", | |
# 111010 | |
"log_message", "User '%{DATA:username}', running '%{DATA:application-name}' from IP %{IP:src_ip}, executed '%{GREEDYDATA:command}'[' ']{0,2}%{GREEDYDATA:log_message}", | |
# VPN | |
# Soll auf "ASA-0-113009" matchen | |
"log_message", "Group = %{DATA:vpn_group}, Username = %{DATA:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}", | |
# 113019 | |
"log_message", "Group = %{IPORHOST:vpn_group}, Username = %{IPORHOST:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}s, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}", | |
# 313008 | |
"log_message", "%{CISCO_ACTION:action} IPv%{INT:ipversion}-%{WORD:protocol} type=%{INT:protocol_type}, code=%{INT:protocol_num} from %{IP:src_ip} on interface %{GREEDYDATA:src_interface}", | |
# soll auf 713120 matchen | |
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{GREEDYDATA:log_message}", | |
# soll auf 713228 matchen | |
"log_message", "Group = %{DATA:vpn_group}, Username = %{DATA:username}, IP = %{IP:src_ip}, Assigned private IP address %{IP:vpn_ip} to remote user%{GREEDYDATA:log_message}", | |
# 722037 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> SVC closing connection: %{GREEDYDATA:vpn_session_end_reason}.", | |
# 722051 mit ipv6 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> IPv4 Address <%{IP:vpn_ip}> IPv6 address <%{IP:vpn_ipv6}> assigned to session", | |
# 722051 ohne ipv6 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> IPv4 Address <%{IP:vpn_ip}> IPv6 address <::> assigned to session", | |
# 716002 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> WebVPN session terminated: %{GREEDYDATA:vpn_session_end_reason}", | |
# 113003 | |
"log_message", "%{DATA:AAA} group policy for user %{DATA:username} is being set to %{GREEDYDATA:vpn_group_policy}", | |
# 113004 | |
"log_message", "%{DATA:AAA} user %{DATA:AAA-Type} %{DATA:AAA-Result} : server = %{IP:AAA-Server} : user = %{GREEDYDATA:username}", | |
# 113008 | |
"log_message", "%{DATA:AAA} %{DATA:AAA-Type} status %{DATA:AAA-Result} : user = %{GREEDYDATA:username}[' ']{0,2}%{GREEDYDATA:log_message}", | |
# 113009 | |
"log_message", "%{DATA:AAA} retrieved default group policy \(%{DATA:vpn_group_policy}\) for user = %{GREEDYDATA:username}", | |
# 113012 | |
"log_message", "%{DATA:AAA} user %{DATA:AAA-Type} %{DATA:AAA-Result} : local database : user = %{GREEDYDATA:username}", | |
# 113023 | |
"log_message", "%{DATA:AAA} Marking LDAP server %{IPORHOST:AAA-Server} in aaa-server group %{DATA:AAA_group} as %{GREEDYDATA:AAA-Result}", | |
# 713061 | |
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{DATA:action} %{DATA:IPSec} tunnel: %{GREEDYDATA:error_message} for remote proxy %{IP:ipsec_src}/%{IP:ipsec_src_mask}/0/0 local proxy %{IP:ipsec_dst}/%{IP:ipsec_dst_mask}/0/0 on interface %{DATA:dst_interface}", | |
# 713122 | |
"log_message", "IP = %{IP:src_ip}, Keep-alives configured on but %{GREEDYDATA:error_message} \(type = %{DATA}\)", | |
# SSL | |
# 725002 | |
"log_message", "Device completed %{DATA:SSL} %{DATA:SSL_session_status} with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol}v%{DATA:ssl_protocol_version} session", | |
# 725001 | |
"log_message", "%{DATA:SSL_session_status} %{DATA:SSL} handshake with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol} session", | |
"log_message", "%{DATA:SSL_session_status} %{DATA:SSL} handshake with server %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol} session", | |
# 750003 | |
"log_message", "Local:%{IPORHOST:src_ip}:%{INT:src_port} Remote:%{IP:dst_ip}:%{INT:dst_port} Username:%{DATA:username} %{DATA:ike}v%{INT:ike_version} %{GREEDYDATA:error_message}", | |
# 725005 | |
"log_message", "%{DATA:SSL} session with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}", | |
"log_message", "%{DATA:SSL} server %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}", | |
# 402116 | |
"log_message", "%{DATA:IPSEC}: Received an ESP packet \(%{GREEDYDATA:spi}\) from %{IPORHOST:src_ip} \(user= %{DATA:username}\) to %{IP:dst_ip}. +%{GREEDYDATA:error_message}", | |
# 450001 | |
"log_message", "Received %{GREEDYDATA:error_message} from %{IP:src_ip}\/%{MAC:src_mac} on interface %{DATA:interface} with existing ARP entry %{IP:dst_ip}\/%{MAC:dst_mac}", | |
# 725003 | |
"log_message", "%{DATA:SSL} client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} request to %{GREEDYDATA:SSL_session_status}.", | |
"log_message", "%{DATA:SSL} client %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} to %{IP:dst_ip}\/%{INT:dst_port} request to %{DATA:SSL_session_status} %{GREEDYDATA}", | |
# 210007 | |
"log_message", "%{DATA:error_message} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} \(%{DATA:ip_src_xlate_addr}/%{DATA:ip_src_xlate_port}\) to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} \(%{DATA:ip_dst_xlate_addr}/%{DATA:ip_dst_xlate_port}\)", | |
# 710003 | |
"log_message", "%{DATA:ip_protcol} access %{DATA:error_message} by %{DATA:acl} from %{IP:src_ip}\/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port}", | |
# 722010-14 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> SVC Message: %{INT:svc_type_num}\/%{DATA:svc_message_severity}: %{GREEDYDATA:svc_message}", | |
# 722023 | |
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> %{GREEDYDATA:error_message}", | |
# 722041 | |
"log_message", "TunnelGroup <%{DATA:vpn_group}> GroupPolicy <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> +%{GREEDYDATA:error_message}", | |
# 734001 | |
"log_message", "DAP: User %{DATA:username}, Addr %{IPORHOST:src_ip}, Connection %{DATA:DAP_connection}: The following DAP records were selected for this connection: %{GREEDYDATA:DAP_record}", | |
# 725007. | |
"log_message", "%{DATA:SSL} session with (client|server) %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}", | |
# 725010. | |
"log_message", "%{DATA:ike}v%{INT:ike_version} Doesn't have a %{GREEDYDATA:ike_error} specified", | |
# 725012. | |
"log_message", "%{DATA:ike}v%{INT:ike_version} was unsuccessful at setting up a tunnel. +Map Tag = %{DATA:cyrpto_map}. +Map Sequence Number = %{INT:cyrpto_map_seq}.", | |
# 725015. | |
"log_message", "Tunnel Manager has failed to establish an %{DATA:vpn_session_type} SA. +All configured %{DATA:ike} versions %{GREEDYDATA:error_message}. Map Tag= %{DATA:cyrpto_map}. +Map Sequence Number = %{INT:cyrpto_map_seq}.", | |
#soll auf 305006 matchen | |
"log_message", "%{DATA:error_message} for %{DATA:ip_protcol} src %{DATA:src_interface}:%{IP:src_ip} dst %{DATA:dst_interface}:%{IP:dst_ip} \(type %{DATA:icmp_type}, code %{DATA:icmp_code}\)%{GREEDYDATA:log_message}", | |
# soll auf 713123 matchen auch fast eine catch all regel | |
"log_message", "Group = %{DATA:vpn_group}, IP = %{DATA:username}, %{GREEDYDATA:log_message}", | |
# asa 411 | |
"log_message", "Line protocol on Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}", | |
"log_message", "AAA user authentication %{DATA:security_audit} : reason = %{GREEDYDATA:auth_reason} : server = %{IP} : user = %{GREEDYDATA:username}", | |
"log_message", "AAA user authentication %{DATA:security_audit} : reason = %{GREEDYDATA:auth_reason} : server = %{IP} : user = %{DATA:username} : user IP = %{IP:src_ip}", | |
"log_message", "User authentication %{DATA:security_audit}: IP address: %{IP:src_ip}, Uname: %{GREEDYDATA:username}", | |
# ASA-1-104001 | |
"log_message", "%{CISCOFW104001}", | |
# # ASA-1-104002 | |
"log_message", "%{CISCOFW104002}", | |
# # ASA-1-104003 | |
"log_message", "%{CISCOFW104003}", | |
# # ASA-1-104004 | |
"log_message", "%{CISCOFW104004}", | |
# # ASA-1-105003 | |
"log_message", "%{CISCOFW105003}", | |
# # ASA-1-105004 | |
"log_message", "%{CISCOFW105004}", | |
# # ASA-1-105005 | |
"log_message", "%{CISCOFW105005}", | |
# # ASA-1-105008 | |
"log_message", "%{CISCOFW105008}", | |
# # ASA-1-105009 | |
"log_message", "%{CISCOFW105009}", | |
# # ASA-2-106001 | |
"log_message", "%{CISCOFW106001}", | |
# # ASA-2-106006, ASA-2-106007, ASA-2-106010 | |
"log_message", "%{CISCOFW106006_106007_106010}", | |
# # ASA-3-106014 | |
"log_message", "%{CISCOFW106014}", | |
# # ASA-6-106015 | |
"log_message", "%{CISCOFW106015}", | |
# # ASA-6-106017 | |
"log_message", "%{DATA:session_status} IP due to %{DATA:error_message} from %{IP:src_ip} to %{IP:dst_ip}", | |
# # ASA-1-106021 | |
"log_message", "%{CISCOFW106021}", | |
# # ASA-4-106023 | |
"log_message", "%{CISCOFW106023}", | |
# # ASA-4-106100, ASA-4-106102, ASA-4-106103 | |
"log_message", "%{CISCOFW106100_2_3 access-list}", | |
# # ASA-5-106100 | |
"log_message", "%{CISCOFW106100}", | |
# # ASA-5-304001 | |
"log_message", "%{CISCOFW304001}", | |
# # ASA-6-110002 | |
"log_message", "%{CISCOFW110002}", | |
# # ASA-6-302010 | |
"log_message", "%{CISCOFW302010}", | |
# # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 | |
"log_message", "%{CISCOFW302013_302014_302015_302016}", | |
# # ASA-6-302020, ASA-6-302021 | |
"log_message", "%{CISCOFW302020_302021}", | |
# # ASA-6-305011 | |
"log_message", "%{CISCOFW305011}", | |
# # ASA-3-313001, ASA-3-313004, ASA-3-313008 | |
"log_message", "%{CISCOFW313001_313004_313008}", | |
# # ASA-4-313005 | |
"log_message", "%{CISCOFW313005}", | |
# # ASA-5-321001 | |
"log_message", "%{CISCOFW321001}", | |
# # ASA-4-402117 | |
"log_message", "%{CISCOFW402117}", | |
# # ASA-4-402119 | |
"log_message", "%{CISCOFW402119}", | |
# # ASA-4-419001 | |
"log_message", "%{CISCOFW419001}", | |
# # ASA-4-419002 | |
"log_message", "%{CISCOFW419002}", | |
# # ASA-4-500004 | |
"log_message", "%{CISCOFW500004}", | |
# # ASA-6-602303, ASA-6-602304 | |
"log_message", "%{CISCOFW602303_602304}", | |
"log_message", "%{CISCOFW713172}", | |
# # ASA-4-733100 | |
"log_message", "%{CISCOFW733100}", | |
# 106023 | |
"log_message", "%{CISCO_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{DATA:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]", | |
# 201013 | |
"log_message", "Per-client connection limit exceeded %{DATA:connections_use}\/%{DATA:connections_max_use} for output packet from %{IP:src_ip}\/%{INT:src_port} to %{IP:dst_ip}\/%{INT:dst_port} on interface %{DATA:src_interface}", | |
# 210007 | |
"log_message", "LU allocate xlate %{DATA:action} for dynamic-nat TCP translation from %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} \(%{IP}\/%{DATA}\) to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port} \(%{IP}\/%{DATA}\)", | |
# 313005 | |
"log_message", "%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?", | |
# 419002 | |
"log_message", "Duplicate TCP SYN from %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port} with different initial sequence number", | |
# 713902 | |
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{GREEDYDATA}!", | |
# 713903 | |
"log_message", "IP = %{IP:src_ip}, %{GREEDYDATA:error_message}, %{GREEDYDATA}\! \(%{GREEDYDATA}\)", | |
# 113009 | |
"log_message", "%{DATA:aaa} retrieved default group policy \(%{DATA:group_policy}\) for user = %{IPORHOST:username}", | |
# 113019 | |
"log_message", "Group = %{IPORHOST:vpn_group}, Username = %{IPORHOST:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}s, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}", | |
# 713903 | |
"log_message", "Group = %{DATA:group_policy}, IP = %{IP:src_ip}, %{DATA:status}, +%{GREEDYDATA}", | |
# 713061 | |
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy %{IP:remote_net}\/%{IP:remote_net_mask}\/%{INT}\/%{INT} local proxy", | |
# HP | |
"log_message", "Notice-Type=\'%{DATA:notice_type}\',Event-ID=\'%{INT:event_id}\',Config-Method=\'%{DATA:config_method}\',Device-Name=\'%{DATA:hostname}\',User-Name=\'%{DATA:username}\',Remote-IP-Address=\'%{IP:src_ip}\'", | |
# ICX | |
# Interface | |
"log_message", "Interface %{DATA:interface_type} %{DATA:interface_num}, state %{GREEDYDATA:interface_state}", | |
#VLAN | |
"log_message", "VLAN %{DATA:vlan_id} Port %{DATA:interface_num} STP State -> %{DATA:STP_state} \(%{DATA:STP_changereason}\)", | |
# MLX | |
# BGP Peer | |
"log_message", "Peer \(VRF: +%{DATA:vrf}\) %{IP:peer_ip} %{DATA:bgp_session} \(%{GREEDYDATA:bgp_status}\)", | |
# Loadbalancer | |
"log_message", "%{IP:src_ip} - %{DATA:username} \[%{GREEDYDATA}\] \"\/%{DATA}\/%{DATA}\/%{DATA:security_audit}\/%{GREEDYDATA}\" %{INT} %{INT}", | |
"log_message", "CMD (%{GREEDYDATA})", | |
# Catchall | |
"log_message", "%{GREEDYDATA:log_catchall}" | |
] | |
} | |
} # End log_message filtern und markieren | |
# WLC Messages feiner filtern | |
if [wlc_message_id] { | |
grok { | |
match => [ | |
"log_message", "%{DATA:wlc_program}:%{INT:wlc_program_num} +%{GREEDYDATA}", | |
"log_message", "%{GREEDYDATA:log_wlc_message}" | |
] | |
} | |
if [log_catchall] { | |
mutate { | |
remove_field => [ "log_catchall" ] | |
} | |
} | |
} # END WLC Messages feiner filtern | |
# Loadbalancer Messages nicht weiter filtern | |
if [sysloghost] == "xxx" or [sysloghost] == "xxx" { | |
if [log_catchall] { | |
mutate { | |
remove_field => [ "log_catchall" ] | |
} | |
} | |
} # END Loadbalancer Messages nicht weiter filtern | |
# session status anpassen | |
if [session_status] { | |
translate { | |
dictionary => [ | |
"Successful", "login", | |
"successful", "login", | |
"Success", "login", | |
"success", "login", | |
"Closed", "logout", | |
"closed", "logout", | |
"Exited", "logout", | |
"exited", "logout", | |
"terminated", "logout", | |
"stop", "logout", | |
"Failed", "failed", | |
"failed", "failed", | |
"Failure", "failed", | |
"failure", "failed", | |
"rejected", "failed", | |
"Modified", "login", | |
"modified", "login", | |
"Succeeded", "login", | |
"succeeded", "login", | |
"start", "login", | |
"New", "login", | |
"new", "login", | |
"Authenticated", "login", | |
"authenticated", "login" | |
] | |
field => "session_status" | |
destination => "session_status" | |
override => true | |
} | |
} # end session status anpassen | |
} # if [type] | |
} | |
output { | |
if [session_status] { | |
pipeline { | |
send_to => [ "_10050-nw-downstream_p061" ] | |
} | |
} | |
elasticsearch { | |
hosts => [ "xxx03:9200", "xxx04:9200", "xxxdb05:9200" ] | |
ssl => true | |
cacert => "/etc/logstash/certs/xxxb07.xxx.ca.crt" | |
index => "nw-xal-logs-syslog-10000-%{+YYYY.MM.dd}" | |
user => "xxx" | |
password => "xxx" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment