Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pipeline definition
# syslog
input {
udp {
id => "udp_10000"
port => 10000
type => syslog_udp_10000
}
tcp {
id => "tcp_10000"
port => 10000
type => syslog_udp_10000
}
}
filter {
if [type] == "syslog_udp_10000" {
# unwanted stuff out
if "mx01" in [message] {
drop{ }
}
else if "gateway-1" in [message] {
drop{ }
}
else if "gateway-2" in [message] {
drop{ }
}
else if "InterMapper" in [message] {
drop{ }
}
# end unwanted stuff
# Header Filtern und log_message erzeugen:
if [message] {
grok {
match => [
# VDX
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: \[log\@%{INT} value=\"AUDIT\"\]\[timestamp\@%{INT} value=\"%{DATA:log_timestamp}\"\]\[tz\@%{INT} value=\"%{DATA:log_timezone}\"\]\[msgid\@%{INT} value=\"%{DATA:log_facility}-%{DATA:log_mnemonic}\"\]\[severity\@%{INT} value=\"%{DATA:log_severity}\"( desc=\"%{DATA:severity_desc}\")?\]\[class\@%{INT} value=\"%{DATA:log_class}\"\]\[user\@%{INT} value=\"%{DATA:username}\"( desc=\"%{DATA:user_desc}\")?\]\[role\@%{INT} value=\"%{DATA:role}\"( desc=\"%{DATA:role_desc}\")?\]\[ip\@%{INT} value=\"%{DATA:src_ip}\"( desc=\"%{DATA:ip_desc}\")?\]\[interface\@%{INT} value=\"%{DATA:connection}\"( desc=\"%{DATA:desc}\")?\]\[application\@%{INT} value=\"%{DATA:application}\"( desc=\"%{DATA:application_desc}\")?\]\[swname\@%{INT} value=\"%{DATA:swname}\"( desc=\"%{DATA:swname_desc}\")?\](\[arg0\@%{INT} value=\"%{DATA:arg0_val}\"( desc=\"%{DATA:arg0_desc}\")?\])?(\[arg1\@%{INT} value=\"%{DATA:arg1_val}\"( desc=\"%{DATA:arg1_desc}\")?\])?(\[arg2\@%{INT} value=\"%{DATA:arg2_val}\"( desc=\"%{DATA:arg2_desc}\")?\])?(\[arg3\@%{INT} value=\"%{DATA:arg3_val}\"( desc=\"%{DATA:arg3_desc}\")?\])?(\[arg4\@%{INT} value=\"%{DATA:arg4_val}\"( desc=\"%{DATA:arg4_desc}\")?\])?(\[arg5\@%{INT} value=\"%{DATA:arg5_val}\"( desc=\"%{DATA:arg5_desc}\")?\])? %{GREEDYDATA:log_message}",
# VDX
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: \[log\@%{INT} value=\"RASLOG\"]\[timestamp\@%{INT} value=\"%{DATA:log_timestamp}\"\]\[msgid\@%{INT} value=\"%{DATA:log_facility}-%{DATA:log_mnemonic}\"\]\[seqnum\@%{INT} value=\"%{DATA:seqnum}\"( desc=\"%{DATA:seqnum_desc}\")?\]\[attr\@%{INT} value=\"%{DATA:wwn}\"( desc=\"%{DATA:wwn_desc}\")?\]\[severity\@%{INT} value=\"%{DATA:log_severity}\"( desc=\"%{DATA:severity_desc}\")?\]\[swname\@%{INT} value=\"%{DATA:swname}\"( desc=\"%{DATA:swname_desc}\")?\](\[arg0\@%{INT} value=\"%{DATA:arg0_val}\"( desc=\"%{DATA:arg0_desc}\")?\])?(\[arg1\@%{INT} value=\"%{DATA:arg1_val}\"( desc=\"%{DATA:arg1_desc}\")?\])?(\[arg2\@%{INT} value=\"%{DATA:arg2_val}\"( desc=\"%{DATA:arg2_desc}\")?\])?(\[arg3\@%{INT} value=\"%{DATA:arg3_val}\"( desc=\"%{DATA:arg3_desc}\")?\])?(\[arg4\@%{INT} value=\"%{DATA:arg4_val}\"( desc=\"%{DATA:arg4_desc}\")?\])?(\[arg5\@%{INT} value=\"%{DATA:arg5_val}\"( desc=\"%{DATA:arg5_desc}\")?\])? %{GREEDYDATA:log_message}",
# N7K
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{HOSTNAME:log_hostname}: )%{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}",
# N7K
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{HOSTNAME:log_hostname}: )%{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +last message repeated %{INT:message_repeat} time",
# cisco
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}",
# ASA
#"message", "<%{INT:syslog_pri}>%{DATA:syslog_month} +%{INT:syslog_day} %{TIME:syslog_time} %{IPORHOST:sysloghost} : %%{WORD:ASA}-%{WORD:log_severity}-%{WORD:ASA-MessageID}: %{GREEDYDATA:log_message}",
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} : %%{WORD:ASA}-%{WORD:log_severity}-%{WORD:ASA-MessageID}: %{GREEDYDATA:log_message}",
# cisco
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3}): %%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}",
# cisco
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(%{INT:seq_num2}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: +%{GREEDYDATA:log_message}",
# cisco
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(%{INT:seq_num2}: )?(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: %{GREEDYDATA:cisco_daemon} \(%{DATA:cisco_daemon_level}\): +%{GREEDYDATA:log_message}",
# cisco
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} (%{INT:seq_num}: )?(%{HOSTNAME:log_hostname}: )(?<NTP-Error>\.|\*)?%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3})( (?<timezone>[A-Z]{0,6}))?: +%{GREEDYDATA:log_message}",
# WLC
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{HOSTNAME:log_hostname}: \*%{DATA:wlc_message_id}: %{MONTH:month} +%{MONTHDAY:day} %{TIME:time}.(?<millisec>[0-9]{3}): %%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}",
# HP Switche
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{INT:seq_num} %{DATA:daemon}: +%{GREEDYDATA:log_message}",
# loadbalancer
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}\[%{INT:session_id}\]: \[%{DATA:daemon_log_level}\] %{GREEDYDATA:log_message}",
# loadbalancer
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}\[%{INT:session_id}\]: \(%{DATA:lb_user}\) %{GREEDYDATA:log_message}",
# loadbalancer
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:log_severity} %{DATA:daemon}: \[%{DATA:process}\] %{GREEDYDATA:log_message}",
# loadbalancer
"message", "<%{INT:syslog_pri}>%{DATA:month} +%{DATA:day} +%{DATA:time} %{IPORHOST:sysloghost_ip} %{DATA:time1} %{DATA:timezone} %{IPORHOST:sysloghost} %{DATA:daemon} : %{DATA:daemon2} : +%{GREEDYDATA:log_message}",
# ICX filter sind fast ein catchall filter
# ICX 1
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{YEAR:year} %{MONTH:month} +%{MONTHDAY:day} %{TIME:time} %{HOSTNAME:log_hostname} %{DATA:daemon}: %{GREEDYDATA:log_message}",
# Arista
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: +%%{DATA:log_facility}-%{DATA:log_severity}-%{DATA:log_mnemonic}: %{GREEDYDATA:log_message}",
# ICX 2
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{DATA:daemon}: %{GREEDYDATA:log_message}",
# Catchall
"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_time} %{IPORHOST:sysloghost} %{GREEDYDATA:log_message}"
]
} # grok
} # if [message]
#
# Wenn das Feld sysloghost <ip-redacted> ist, dann ist das die xxx von xxx
if [sysloghost] =="xx.xx.xx.xx" {
mutate {
add_field => { "log_hostname" => "xxx" }
}
} # END Wenn das Feld sysloghost xx.xx.xx.xx ist, dann ist das die xxx von xxx
#
# Wenn das Feld log_hostname keine IP ist und das Feld log_hostname existiert dann entsprechend den sysloghost austauschen:
if [log_hostname] !~ /^[0-9]{4}/ and [log_hostname] {
mutate {
replace => [ "sysloghost", "%{log_hostname}" ]
}
} # end sysloghost ersetzen
#
# Customer extrahieren
if [sysloghost] {
grok {
match => [
"sysloghost", "(?<customer>^.{3})"
]
}
# hier jetzt das kundenkuerzel auf xxx aendern wenn es ein internes system ist
translate {
dictionary => [
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx",
"xxx", "xxx"
]
field => "customer"
destination => "customer"
override => true
} # end custormer translate
mutate {
lowercase => [ "customer" ]
}
} # end customer extrahieren
# Severity erzeugen aus
if [syslog_pri] {
translate {
dictionary => [
"0", "Emergency",
"8", "Emergency",
"16", "Emergency",
"24", "Emergency",
"32", "Emergency",
"40", "Emergency",
"48", "Emergency",
"56", "Emergency",
"64", "Emergency",
"72", "Emergency",
"80", "Emergency",
"88", "Emergency",
"96", "Emergency",
"104", "Emergency",
"112", "Emergency",
"120", "Emergency",
"128", "Emergency",
"136", "Emergency",
"144", "Emergency",
"152", "Emergency",
"160", "Emergency",
"168", "Emergency",
"176", "Emergency",
"184", "Emergency",
"1", "Alert",
"9", "Alert",
"17", "Alert",
"25", "Alert",
"33", "Alert",
"41", "Alert",
"49", "Alert",
"57", "Alert",
"65", "Alert",
"73", "Alert",
"81", "Alert",
"89", "Alert",
"97", "Alert",
"105", "Alert",
"113", "Alert",
"121", "Alert",
"129", "Alert",
"137", "Alert",
"145", "Alert",
"153", "Alert",
"161", "Alert",
"169", "Alert",
"177", "Alert",
"185", "Alert",
"2", "Critical",
"10", "Critical",
"18", "Critical",
"26", "Critical",
"34", "Critical",
"42", "Critical",
"50", "Critical",
"58", "Critical",
"66", "Critical",
"74", "Critical",
"82", "Critical",
"90", "Critical",
"98", "Critical",
"106", "Critical",
"114", "Critical",
"122", "Critical",
"130", "Critical",
"138", "Critical",
"146", "Critical",
"154", "Critical",
"162", "Critical",
"170", "Critical",
"178", "Critical",
"186", "Critical",
"3", "Error",
"11", "Error",
"19", "Error",
"27", "Error",
"35", "Error",
"43", "Error",
"51", "Error",
"59", "Error",
"67", "Error",
"75", "Error",
"83", "Error",
"91", "Error",
"99", "Error",
"107", "Error",
"115", "Error",
"123", "Error",
"131", "Error",
"139", "Error",
"147", "Error",
"155", "Error",
"163", "Error",
"171", "Error",
"179", "Error",
"187", "Error",
"4", "Warning",
"12", "Warning",
"20", "Warning",
"28", "Warning",
"36", "Warning",
"44", "Warning",
"52", "Warning",
"60", "Warning",
"68", "Warning",
"76", "Warning",
"84", "Warning",
"92", "Warning",
"100", "Warning",
"108", "Warning",
"116", "Warning",
"124", "Warning",
"132", "Warning",
"140", "Warning",
"148", "Warning",
"156", "Warning",
"164", "Warning",
"172", "Warning",
"180", "Warning",
"188", "Warning",
"5", "Notice",
"13", "Notice",
"21", "Notice",
"29", "Notice",
"37", "Notice",
"45", "Notice",
"53", "Notice",
"61", "Notice",
"69", "Notice",
"77", "Notice",
"85", "Notice",
"93", "Notice",
"101", "Notice",
"109", "Notice",
"117", "Notice",
"125", "Notice",
"133", "Notice",
"141", "Notice",
"149", "Notice",
"157", "Notice",
"165", "Notice",
"173", "Notice",
"181", "Notice",
"189", "Notice",
"6", "Info",
"14", "Info",
"22", "Info",
"30", "Info",
"38", "Info",
"46", "Info",
"54", "Info",
"62", "Info",
"70", "Info",
"78", "Info",
"86", "Info",
"94", "Info",
"102", "Info",
"110", "Info",
"118", "Info",
"126", "Info",
"134", "Info",
"142", "Info",
"150", "Info",
"158", "Info",
"166", "Info",
"174", "Info",
"182", "Info",
"190", "Info",
"7", "Debug",
"15", "Debug",
"23", "Debug",
"31", "Debug",
"39", "Debug",
"47", "Debug",
"55", "Debug",
"63", "Debug",
"71", "Debug",
"79", "Debug",
"87", "Debug",
"95", "Debug",
"103", "Debug",
"111", "Debug",
"119", "Debug",
"127", "Debug",
"135", "Debug",
"143", "Debug",
"151", "Debug",
"159", "Debug",
"167", "Debug",
"175", "Debug",
"183", "Debug",
"191", "Debug"
]
field => "syslog_pri"
destination => "severity"
override => true
}
} # end severity aendern
# ASA MessageID Logclass ermitteln (es sind die ersten drei ziffern der message ID)
# https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html
if [ASA-MessageID] {
grok {
match => [
"ASA-MessageID", "(?<ASA-MessageID-Class>^.{3})"
]
}
# hier jetzt das Cisco Logfacility Feld befuellen
translate {
dictionary => [
"109", "AUTH",
"113", "AUTH",
"415", "APPFW",
"110", "BRIDGE",
"220", "BRIDGE",
"717", "CA",
"723", "CITRIX",
"747", "CLUSTER",
"323", "CARDM",
"111", "CONFIG",
"112", "CONFIG",
"208", "CONFIG",
"308", "CONFIG",
"724", "CSD",
"776", "CTS",
"734", "DAP",
"333", "EAP",
"334", "EAPOUDP",
"336", "EIGRP",
"719", "EMAIL",
"735", "ENVM",
"101", "HA",
"102", "HA",
"103", "HA",
"104", "HA",
"105", "HA",
"210", "HA",
"311", "HA",
"709", "HA",
"746", "IDFW",
"400", "IDS",
"733", "IDS",
"750", "IKEV2",
"751", "IKEV2",
"752", "IKEV2",
"209", "IP",
"215", "IP",
"313", "IP",
"317", "IP",
"408", "IP",
"735", "IPAA",
"400", "IPS",
"401", "IPS",
"420", "IPS",
"325", "IPV6",
"338", "BWGLISTS",
"444", "LIC",
"802", "MDM-PROXY",
"731", "NAC",
"732", "NAC",
"731", "NACPOLICY",
"732", "NACSETTINGS",
"319", "NP",
"725", "NPSSL",
"318", "OSPF",
"409", "OSPF",
"503", "OSPF",
"613", "OSPF",
"742", "PWENC",
"337", "PHONEPROXY",
"107", "RIP",
"312", "RIP",
"321", "RM",
"120", "SCH",
"106", "SESSION",
"108", "SESSION",
"201", "SESSION",
"202", "SESSION",
"204", "SESSION",
"302", "SESSION",
"303", "SESSION",
"304", "SESSION",
"305", "SESSION",
"314", "SESSION",
"405", "SESSION",
"406", "SESSION",
"407", "SESSION",
"500", "SESSION",
"502", "SESSION",
"607", "SESSION",
"608", "SESSION",
"609", "SESSION",
"616", "SESSION",
"620", "SESSION",
"703", "SESSION",
"710", "SESSION",
"212", "SNMP",
"775", "SCANSAFE",
"725", "SSL",
"722", "SVC",
"199", "SYS",
"211", "SYS",
"214", "SYS",
"216", "SYS",
"306", "SYS",
"307", "SYS",
"315", "SYS",
"414", "SYS",
"604", "SYS",
"605", "SYS",
"606", "SYS",
"610", "SYS",
"612", "SYS",
"614", "SYS",
"615", "SYS",
"701", "SYS",
"711", "SYS",
"741", "SYS",
"733", "THREAD-DEC",
"780", "TRE",
"339", "UCIME",
"779", "TAG-SWITCHING",
"730", "VM",
"213", "VPDN",
"403", "VPDN",
"603", "VPDN",
"316", "VPN",
"320", "VPN",
"402", "VPN",
"404", "VPN",
"501", "VPN",
"602", "VPN",
"702", "VPN",
"713", "VPN",
"714", "VPN",
"715", "VPN",
"611", "VPNC",
"720", "VPNFO",
"718", "VPNLB",
"778", "VXLAN",
"721", "WEBFO",
"716", "WEBVPN",
"305", "NATPAT",
"419", "DUPSYN",
"737", "IPAA",
"411", "LINEPROTO"
]
field => "ASA-MessageID-Class"
destination => "log_facility"
} # END hier jetzt das Cisco Logfacility Feld befuellen
# hier jetzt das Cisco Log_mnemonic Feld befuellen
translate {
dictionary => [
"106100", "IPACCESSLOGPERMIT",
"106023", "IPACCESSLOGDENY",
"111008", "COMMAND_CONF",
"111009", "COMMAND_SHOW",
"111010", "APPLICATION_EXECUTION",
"113003", "AAA_GROUP_POLICY_SET",
"113004", "AAA_ACCOUNTING",
"113005", "AAA_AUTH_REJECTED",
"113008", "AAA_TRANSACTION_SUCCESS",
"113009", "AAA_GROUP_POLICY",
"113019", "SESSION_DISCONNECTED",
"113022", "SERVER_ERROR",
"113011", "AAA_GROUP_POLICY_SELECT",
"113012", "AAA_AUTH_SUCCESS_LOCAL_DB",
"113039", "SESSION_STARTED",
"201013", "CLIENT_CONNECTION_LIMIT",
"210007", "LU_XLATE_ALLOCATE",
"302010", "CONNECTIONS_USED",
"305006", "NAT_CREATION_FAIL",
"313001", "ICMP_DENY",
"313005", "ICMP_NO_MATCHING_CONNECTION",
"313008", "ICPMPV6_DENY",
"402114", "IPSEC_SA_TIMING",
"402116", "IPSEC_WRONG_TRAFFIC",
"402117", "IPSEC_UNENCAPSULATED_PACKET",
"402119", "IPSEC_WRONG_SEQUENCE_NUM",
"402120", "IPSEC_FAILED_AUTHENTICATION",
"405001", "ARP_COLLISION",
"419002", "DUPLICATE_TCP_SYN",
"602305", "IPSEC_SA_CREATION",
"611101", "AAA_AUTH_ACCEPTED",
"611102", "AAA_AUTH_REJECTED",
"710003", "IPACCESSLOGDENY",
"711004", "PROCESS_HOGGING",
"713048", "IPSEC_PAYLOAD_ERROR",
"713061", "IPSEC_TUNNEL_REJECT",
"713122", "IKE_KEEPALIVE_ERROR",
"713123", "IKE_DPD_ERROR",
"713206", "IPSEC_TUNNEL_CONFLICT",
"713227", "IPSEC_SA_NO_SECOND_NEGOTIATION",
"713228", "VPN_IP_ASSIGNMENT",
"713261", "IKE_SA_NOIPV6_ON_INTERFACE",
"713901", "ISAKMP_VPNC_ANTI-DDOS",
"713902", "ISAKMP_ERROR",
"713903", "IKE_ERROR",
"716002", "WEBVPN_SESSION_TERMINATED",
"716039", "WEBVPN_SESSION_REJECTED",
"716058", "WEBVPN_SESSION_LOST_CONNECTION",
"716059", "WEBVPN_SESSION_RESUME",
"722010", "SVC_MESSAGE",
"722011", "SVC_MESSAGE",
"722012", "SVC_MESSAGE",
"722013", "SVC_MESSAGE",
"722014", "SVC_MESSAGE",
"722030", "SVC_SESSION_STATS",
"722031", "SVC_SESSION_TERMINATED",
"722022", "SVC_COMPRESSION",
"722023", "SVC_SESSION_TERMINATED_COMPRESSION",
"722028", "SVC_STALE_CONNECTION_CLOSED",
"722029", "SVC_SESSION_TERMINATED_STATS",
"722032", "SVC_SESSION_REPLACEING",
"722033", "SVC_CONNECTION_ESTABLISHED",
"722034", "SVC_RE-CONNECTION",
"722037", "SVC_CLOSING_REASON",
"722041", "SVC_TUN_NO_IPV6",
"722051", "SVC_IP_ASSIGNMENT",
"722055", "SVC_CLIENT_TYPE",
"722056", "SVC_CLIENT_REJECT",
"725001", "HANDSHAKE_START",
"725002", "HANDSHAKE_COMPLETED",
"725003", "SESSION_RESUME",
"725005", "CERTIFICATE_REQUEST",
"725007", "SSL_SESSION_TERMINATED",
"734001", "RECORD_SELECT",
"737032", "STANDBY_ADDRESS_REMOVE_ERR",
"750003", "SA_NEGOTIATION_ERROR",
"750012", "ENCRYPTION_TOO_WEAK",
"751014", "PAYLOAD_REQUEST_ERROR",
"752010", "NO_PROPOSAL_SPECIFIED",
"752012", "CRYPTOMAP_ERROR",
"752015", "L2L_SA_ERROR"
]
field => "ASA-MessageID"
destination => "log_mnemonic"
} # END hier jetzt das Cisco Log_mnemonic Feld befuellen
} # END ASA MessageID Logclass ermitteln (es sind die ersten drei ziffern der message ID)
#
# log_message filtern und markieren
if [log_message] {
grok {
match => [
# security audit user logins
# ICX logins
"log_message", "SSH %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} from src MAC %{MAC:src_mac} from %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}",
"log_message", "SSH %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} from src MAC %{MAC:src_mac} to %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}",
"log_message", "%{GREEDYDATA:session_reason}. %{DATA:session_status}, intruder IP: +%{IP:src_ip}",
# MLX Logins
"log_message", "ssh %{DATA:session_status} by %{DATA:username} from src %{DATA} %{IP:src_ip} to %{GREEDYDATA:session_mode} mode using %{GREEDYDATA}",
"log_message", "SSH %{DATA:session_mode} by user %{DATA:username} from src %{DATA} %{IP:src_ip} %{DATA:session_status}, %{GREEDYDATA}",
# Cisco logins
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{IP:src_ip}\] \[localport: %{INT}\] at %{GREEDYDATA}",
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{DATA}\] \[localport: %{INT}\] at %{GREEDYDATA}",
"log_message", "Login %{DATA:session_status} \[user: %{DATA:username}\] \[Source: %{IP:src_ip}\] \[localport: %{INT}\] \[Reason: %{GREEDYDATA:session_reason}]\ at %{GREEDYDATA}",
"log_message", "%{DATA:ssh}%{INT:ssh_ver} Session from %{IP:src_ip} \(%{GREEDYDATA}\) for user \'%{DATA:username}\' using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}",
"log_message", "%{DATA:ssh}%{INT:ssh_ver} Session request from %{IP:src_ip} \(%{GREEDYDATA}\) using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}",
"log_message", "User %{DATA:username} has %{DATA:session_status} tty session %{INT}\(%{IP:src_ip}\)",
"log_message", "User \'%{DATA:username}\' authentication for %{DATA:ssh}%{INT:ssh_ver} Session from %{IP:src_ip} \(%{GREEDYDATA}\) using crypto cipher \'%{GREEDYDATA}\', hmac \'%{GREEDYDATA}\' %{GREEDYDATA:session_status}",
"log_message", "%{DATA:session_status} from console by %{DATA:username} on vty%{INT} \(%{IP:src_ip}\)",
"log_message", "%{DATA:session_status} from vty by %{DATA:username} on %{IP:src_ip}\@%{GREEDYDATA}",
# ASA logins
"log_message", "AAA user authentication %{DATA:session_status} : server = %{IP} : user = %{GREEDYDATA:username}",
"log_message", "User authentication %{DATA:session_status}: IP address: %{IP:src_ip}, Uname: %{GREEDYDATA:username}",
"log_message", "User authentication %{DATA:session_status}: IP address: %{IPORHOST:src_ip}, Uname: %{GREEDYDATA:username}",
# VDX logins
"log_message", "BOMEvent: %{DATA:session}, Status: %{DATA:session_status}, Info: Successful login attempt via %{DATA}, IP Addr: %{IP}.",
"log_message", "BOMEvent: %{DATA:session}, Status: %{DATA:session_status}, Info: Failed login attempt through %{DATA}, IP Addr: %{IP}.",
"log_message", "BOMLogin information: %{DATA:session} %{DATA:session_status} via TELNET/SSH/RSH. IP Addr: %{IPORHOST:hostname}.",
"log_message", "BOMTACACS\+ server %{IPORHOST:AAA-Server} %{DATA:session_status} user account \'%{DATA:username}\'.",
#N7K logins
"log_message", "%{DATA:session_status} user added with username %{DATA:username} - %{GREEDYDATA:daemon}",
"log_message", "Login %{DATA:session_status} for user %{DATA:username} - sshd",
"log_message", "user (delete) %{DATA:session_status} for %{DATA}:%{DATA:process}: user %{DATA:username} is currently used by process %{INT:process_id}",
"log_message", "%{DATA:username} : TTY=%{GREEDYDATA:tty} ; PWD=%{GREEDYDATA:pwd} ; USER=%{GREEDYDATA:systemuser} ; COMMAND=%{GREEDYDATA:command} /proc/%{INT:proc_id}/environ - %{GREEDYDATA}",
"log_message", "pam_warn\(%{GREEDYDATA:pam_warn}\): function=\[%{GREEDYDATA:function}\] service=\[%{GREEDYDATA:service}\] terminal=\[%{GREEDYDATA:tty}\] user=\[%{DATA:systemuser}\] ruser=\[%{DATA:username}\] rhost=\[%{GREEDYDATA:rhost}\] +- %{GREEDYDATA}",
# Arista Logins
# session_stop
"log_message", "%{IPORHOST:hostname} %{DATA:username} %{DATA:session_mode} %{IPORHOST:src_ip} %{DATA:session_status} task_id=%{INT:task_id} start_time=%{INT:start_time} timezone=%{DATA} service=%{DATA:service} elapsed_time=%{GREEDYDATA:elapsed_time}",
# session_start
"log_message", "%{IPORHOST:hostname} %{DATA:username} %{DATA:session_mode} %{IPORHOST:src_ip} %{DATA:session_status} task_id=%{INT:task_id} start_time=%{INT:start_time} timezone=%{DATA} service=%{GREEDYDATA:service}",
# VDX Logs
"log_message", "BOMENS %{GREEDYDATA}",
"log_message", "BOMEvent: %{GREEDYDATA}",
# Cisco Logmessages
# Cisco
"log_message", "%{DATA:error_message}: message repeated %{INT:message_repeat_count} (times|time) in last %{INT:message_repeat_intervall} (min|sec)",
# Cisco
"log_message", "Mac %{MAC:mac} in vlan %{INT:vlan_id} has moved from %{DATA:src_interface} to %{GREEDYDATA:dst_interface}",
# Cisco AUTHMGT
"log_message", "VLAN %{INT:vlan_id} assigned to Interface %{DATA:interface} AuditSessionID %{GREEDYDATA:session_id}",
# Cisco
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip}\(%{INT:src_port}\) -> %{IP:dst_ip}\(%{INT:dst_port}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip} -> %{IP:dst_ip} \(%{INT}\/%{INT}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{INT} %{IP:src_ip} -> %{IP:dst_ip}, %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
"log_message", "list %{DATA:policy_id} %{CISCO_ACTION:action} %{IP:src_ip} %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
"log_message", "%{DATA:spa}%{INT:spa_num}: %{DATA:manager}: +list %{DATA:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{IP:src_ip}\(%{INT:src_port}\) %{DATA:interface}-> %{IP:dst_ip}\(%{INT:dst_port}\), %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
# Cisco
"log_message", "Authorization %{DATA:8021x_session_status} for client \(%{GREEDYDATA:client}\) on Interface %{DATA:src_interface} AuditSessionID %{INT:session_id}",
# Cisco NTP
"log_message", "%{DATA:daemon} Receive dropping message: %{GREEDYDATA:error_message}. Drop (C|c)ount:[' ']{0,2}%{INT:drop_count} +- ntpd",
"log_message", "ntp_receive: dropping message: restricted..",
#
#L2FM
"log_message", "%{MAC:mac} in vlan %{DATA:vlan_id} has moved from %{DATA:src_interface} to %{GREEDYDATA:dst_interface}",
# Interface SECURITY_VIOLATION
"log_message", "%{GREEDYDATA:security_audit_message} on the interface %{GREEDYDATA:interface}, new MAC address \(%{MAC:mac}\) is seen.AuditSessionID %{GREEDYDATA:security_audit}",
#
#URIB / U6RIB Memory
"log_message", "(urib|u6rib) \[%{INT}\] \(%{DATA}\) +%{GREEDYDATA:error_message}",
#
#PORT_SECURITY
"log_message", "%{GREEDYDATA:error_message}, caused by MAC address %{MAC:mac} on port %{GREEDYDATA:interface}",
#
#DOT1X
"log_message", "%{GREEDYDATA:error_message} for client \(%{DATA:mac}\) on Interface %{DATA:interface} AuditSessionID %{GREEDYDATA:session_id}",
#
#HSRP_ENGINE
"log_message", "Interface %{DATA:interface} IPV%{INT:ipversion} Grp %{DATA:hsrp_grp} %{GREEDYDATA:log_message} reason %{GREEDYDATA:error_message}",
#CDP Neighbor
"log_message", "Device %{DATA:cdp_hostname}\(%{DATA:cdp_host_serialnum}\) discovered of type %{DATA:cdp_hosttype} with port %{DATA:src_interface} on incoming port %{DATA:dst_interface} with ip addr %{IP:src_ip} and mgmt ip %{IP:mgmt_ip}, %{IP:mgmt_ipv6}%{GREEDYDATA}",
#SW_MATM-4-MACFLAP_NOTIF
"log_message", "Host %{MAC:mac} in vlan %{INT:vlan_id} is %{DATA:error_message} between port %{DATA:interface} and port %{DATA:interface2}",
#TUNNEL-5-IF_STATE_UPDATE
"log_message", "Interface %{DATA:interface} is %{DATA:interface_operstate} reason %{GREEDYDATA:error_message}",
#TUNNEL-4-TM_MTU_PROGRAMMING
"log_message", "Programming %{DATA:interface} mtu %{INT:mtu}%{GREEDYDATA}",
#TUNNEL-5-IF_DELETED
"log_message", "Interface %{DATA:interface} is %{GREEDYDATA:interface_operstate}",
#Interface
#LINEPROTO-5-UPDOWN
"log_message", "Line protocol on Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}",
# LINK-3-UPDOWN
"log_message", "Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}",
# Interface err disable
"log_message", "Attempting to recover from %{DATA:security_audit} %{DATA:error_message} state on %{GREEDYDATA:interface}",
# ARP-4-OWN_SRCMAC
"log_message", "arp \[%{INT:seq_num}\] Received packet with a local source MAC address \(%{MAC:mac}\) from %{IP:src_ip} on Vlan%{INT:vlan_id}",
#
# ARP_2_DUP_SRC_IP
"log_message", "arp \[%{INT:seq_num}\] +Source address of packet received from %{MAC:mac} on Vlan%{INT:vlan_id}\(%{DATA:interface}\) is duplicate of local, %{IP:src_ip}",
#
# ARP-3-DUP_VADDR_SRC_IP
"log_message", "arp \[%{INT:seq_num}\] +Source address of packet received from %{MAC:src_mac} on Vlan%{INT:vlan_id}\(%{DATA:interface}\) is duplicate of local virtual ip, %{IP:src_ip}",
#
# ICMPV6-3-ND_LOG
"log_message", "icmpv6 \[%{INT:seq_num}\] Duplicate address %{IP:src_ip} detected on Vlan%{INT:vlan_id}",
#
# DHCP_SNOOPING_DENY
"log_message", "%{INT:count} %{GREEDYDATA:error_message} on %{DATA:interface}, vlan %{INT:vlan_id}.\(\[%{MAC:src_mac}\/%{IP:src_ip}\/%{MAC:dst_mac}\/%{IP:dst_ip}\/%{GREEDYDATA}",
# DHCP error
"log_message", "%{DATA} %{DATA:error_status} message because the %{GREEDYDATA:error_message}, message type: %{DATA:message_type}, chaddr: %{MAC:cha_mac}, MAC sa: %{MAC:sa_mac}",
# Cisco
"log_message", "New user added with username %{DATA:username} - %{GREEDYDATA:daemon}",
# Cisco Duplicate IP
"log_message", "Duplicate address %{IP:src_ip} on %{DATA:interface}, sourced by %{MAC:src_mac}",
#
"log_message", "%{DATA:username}#%{INT}# : TTY=%{GREEDYDATA:TTY} ; PWD=%{GREEDYDATA:PWD} ; USER=%{DATA} ; COMMAND=%{GREEDYDATA} \/proc\/%{INT}\/environ - %{GREEDYDATA:sudo}",
# Logging enable / disable
"log_message", "%{DATA:logging} to host %{IPORHOST:hostname} (p|P)ort %{INT:dst_port} %{GREEDYDATA:loggig_status}",
# ACL Logging rate Limit
"log_message", "access-list logging rate-limited or missed %{INT:packet_count} packet[s]{0,1}%{GREEDYDATA}",
# ACL log
"log_message", "Src IP: %{IP:src_ip}, Dst IP: %{IP:dst_ip}, Src Port: %{INT:src_port}, Dst Port: %{INT:dst_port}, Src Intf: %{DATA:src_interface}, Protocol: \"%{DATA:ip_protcol}\"\(%{DATA:ip_protcol_num}\), Hit-count = %{INT:hitcount}[' ']{0,2}",
# WLC
"log_message", "\[%{DATA:wlc_log_id}\]%{DATA:wlc_program}:%{INT:wlc_program_num} +%{GREEDYDATA}",
"log_message", "%{DATA:wlc_program}:%{INT:wlc_program_num} (MAX|AP|Client) +%{GREEDYDATA}",
# ASA messages
"log_message", "User '%{DATA:username}' executed cmd: %{DATA:command}[' ']{0,2}%{GREEDYDATA:log_message}",
# 111008
"log_message", "User '%{DATA:username}' executed the '%{GREEDYDATA:command}'[' ']{0,2}%{GREEDYDATA:log_message}",
# 111010
"log_message", "User '%{DATA:username}', running '%{DATA:application-name}' from IP %{IP:src_ip}, executed '%{GREEDYDATA:command}'[' ']{0,2}%{GREEDYDATA:log_message}",
# VPN
# Soll auf "ASA-0-113009" matchen
"log_message", "Group = %{DATA:vpn_group}, Username = %{DATA:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}",
# 113019
"log_message", "Group = %{IPORHOST:vpn_group}, Username = %{IPORHOST:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}s, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}",
# 313008
"log_message", "%{CISCO_ACTION:action} IPv%{INT:ipversion}-%{WORD:protocol} type=%{INT:protocol_type}, code=%{INT:protocol_num} from %{IP:src_ip} on interface %{GREEDYDATA:src_interface}",
# soll auf 713120 matchen
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{GREEDYDATA:log_message}",
# soll auf 713228 matchen
"log_message", "Group = %{DATA:vpn_group}, Username = %{DATA:username}, IP = %{IP:src_ip}, Assigned private IP address %{IP:vpn_ip} to remote user%{GREEDYDATA:log_message}",
# 722037
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> SVC closing connection: %{GREEDYDATA:vpn_session_end_reason}.",
# 722051 mit ipv6
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> IPv4 Address <%{IP:vpn_ip}> IPv6 address <%{IP:vpn_ipv6}> assigned to session",
# 722051 ohne ipv6
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> IPv4 Address <%{IP:vpn_ip}> IPv6 address <::> assigned to session",
# 716002
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> WebVPN session terminated: %{GREEDYDATA:vpn_session_end_reason}",
# 113003
"log_message", "%{DATA:AAA} group policy for user %{DATA:username} is being set to %{GREEDYDATA:vpn_group_policy}",
# 113004
"log_message", "%{DATA:AAA} user %{DATA:AAA-Type} %{DATA:AAA-Result} : server = %{IP:AAA-Server} : user = %{GREEDYDATA:username}",
# 113008
"log_message", "%{DATA:AAA} %{DATA:AAA-Type} status %{DATA:AAA-Result} : user = %{GREEDYDATA:username}[' ']{0,2}%{GREEDYDATA:log_message}",
# 113009
"log_message", "%{DATA:AAA} retrieved default group policy \(%{DATA:vpn_group_policy}\) for user = %{GREEDYDATA:username}",
# 113012
"log_message", "%{DATA:AAA} user %{DATA:AAA-Type} %{DATA:AAA-Result} : local database : user = %{GREEDYDATA:username}",
# 113023
"log_message", "%{DATA:AAA} Marking LDAP server %{IPORHOST:AAA-Server} in aaa-server group %{DATA:AAA_group} as %{GREEDYDATA:AAA-Result}",
# 713061
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{DATA:action} %{DATA:IPSec} tunnel: %{GREEDYDATA:error_message} for remote proxy %{IP:ipsec_src}/%{IP:ipsec_src_mask}/0/0 local proxy %{IP:ipsec_dst}/%{IP:ipsec_dst_mask}/0/0 on interface %{DATA:dst_interface}",
# 713122
"log_message", "IP = %{IP:src_ip}, Keep-alives configured on but %{GREEDYDATA:error_message} \(type = %{DATA}\)",
# SSL
# 725002
"log_message", "Device completed %{DATA:SSL} %{DATA:SSL_session_status} with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol}v%{DATA:ssl_protocol_version} session",
# 725001
"log_message", "%{DATA:SSL_session_status} %{DATA:SSL} handshake with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol} session",
"log_message", "%{DATA:SSL_session_status} %{DATA:SSL} handshake with server %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} for %{DATA:ssl_protocol} session",
# 750003
"log_message", "Local:%{IPORHOST:src_ip}:%{INT:src_port} Remote:%{IP:dst_ip}:%{INT:dst_port} Username:%{DATA:username} %{DATA:ike}v%{INT:ike_version} %{GREEDYDATA:error_message}",
# 725005
"log_message", "%{DATA:SSL} session with client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}",
"log_message", "%{DATA:SSL} server %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}",
# 402116
"log_message", "%{DATA:IPSEC}: Received an ESP packet \(%{GREEDYDATA:spi}\) from %{IPORHOST:src_ip} \(user= %{DATA:username}\) to %{IP:dst_ip}. +%{GREEDYDATA:error_message}",
# 450001
"log_message", "Received %{GREEDYDATA:error_message} from %{IP:src_ip}\/%{MAC:src_mac} on interface %{DATA:interface} with existing ARP entry %{IP:dst_ip}\/%{MAC:dst_mac}",
# 725003
"log_message", "%{DATA:SSL} client %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} request to %{GREEDYDATA:SSL_session_status}.",
"log_message", "%{DATA:SSL} client %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} to %{IP:dst_ip}\/%{INT:dst_port} request to %{DATA:SSL_session_status} %{GREEDYDATA}",
# 210007
"log_message", "%{DATA:error_message} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} \(%{DATA:ip_src_xlate_addr}/%{DATA:ip_src_xlate_port}\) to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} \(%{DATA:ip_dst_xlate_addr}/%{DATA:ip_dst_xlate_port}\)",
# 710003
"log_message", "%{DATA:ip_protcol} access %{DATA:error_message} by %{DATA:acl} from %{IP:src_ip}\/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port}",
# 722010-14
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> SVC Message: %{INT:svc_type_num}\/%{DATA:svc_message_severity}: %{GREEDYDATA:svc_message}",
# 722023
"log_message", "Group <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> %{GREEDYDATA:error_message}",
# 722041
"log_message", "TunnelGroup <%{DATA:vpn_group}> GroupPolicy <%{DATA:vpn_group_policy}> User <%{DATA:username}> IP <%{IPORHOST:src_ip}> +%{GREEDYDATA:error_message}",
# 734001
"log_message", "DAP: User %{DATA:username}, Addr %{IPORHOST:src_ip}, Connection %{DATA:DAP_connection}: The following DAP records were selected for this connection: %{GREEDYDATA:DAP_record}",
# 725007.
"log_message", "%{DATA:SSL} session with (client|server) %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} %{GREEDYDATA:SSL_session_status}",
# 725010.
"log_message", "%{DATA:ike}v%{INT:ike_version} Doesn't have a %{GREEDYDATA:ike_error} specified",
# 725012.
"log_message", "%{DATA:ike}v%{INT:ike_version} was unsuccessful at setting up a tunnel. +Map Tag = %{DATA:cyrpto_map}. +Map Sequence Number = %{INT:cyrpto_map_seq}.",
# 725015.
"log_message", "Tunnel Manager has failed to establish an %{DATA:vpn_session_type} SA. +All configured %{DATA:ike} versions %{GREEDYDATA:error_message}. Map Tag= %{DATA:cyrpto_map}. +Map Sequence Number = %{INT:cyrpto_map_seq}.",
#soll auf 305006 matchen
"log_message", "%{DATA:error_message} for %{DATA:ip_protcol} src %{DATA:src_interface}:%{IP:src_ip} dst %{DATA:dst_interface}:%{IP:dst_ip} \(type %{DATA:icmp_type}, code %{DATA:icmp_code}\)%{GREEDYDATA:log_message}",
# soll auf 713123 matchen auch fast eine catch all regel
"log_message", "Group = %{DATA:vpn_group}, IP = %{DATA:username}, %{GREEDYDATA:log_message}",
# asa 411
"log_message", "Line protocol on Interface %{DATA:interface}, changed state to %{GREEDYDATA:interface_operstate}",
"log_message", "AAA user authentication %{DATA:security_audit} : reason = %{GREEDYDATA:auth_reason} : server = %{IP} : user = %{GREEDYDATA:username}",
"log_message", "AAA user authentication %{DATA:security_audit} : reason = %{GREEDYDATA:auth_reason} : server = %{IP} : user = %{DATA:username} : user IP = %{IP:src_ip}",
"log_message", "User authentication %{DATA:security_audit}: IP address: %{IP:src_ip}, Uname: %{GREEDYDATA:username}",
# ASA-1-104001
"log_message", "%{CISCOFW104001}",
# # ASA-1-104002
"log_message", "%{CISCOFW104002}",
# # ASA-1-104003
"log_message", "%{CISCOFW104003}",
# # ASA-1-104004
"log_message", "%{CISCOFW104004}",
# # ASA-1-105003
"log_message", "%{CISCOFW105003}",
# # ASA-1-105004
"log_message", "%{CISCOFW105004}",
# # ASA-1-105005
"log_message", "%{CISCOFW105005}",
# # ASA-1-105008
"log_message", "%{CISCOFW105008}",
# # ASA-1-105009
"log_message", "%{CISCOFW105009}",
# # ASA-2-106001
"log_message", "%{CISCOFW106001}",
# # ASA-2-106006, ASA-2-106007, ASA-2-106010
"log_message", "%{CISCOFW106006_106007_106010}",
# # ASA-3-106014
"log_message", "%{CISCOFW106014}",
# # ASA-6-106015
"log_message", "%{CISCOFW106015}",
# # ASA-6-106017
"log_message", "%{DATA:session_status} IP due to %{DATA:error_message} from %{IP:src_ip} to %{IP:dst_ip}",
# # ASA-1-106021
"log_message", "%{CISCOFW106021}",
# # ASA-4-106023
"log_message", "%{CISCOFW106023}",
# # ASA-4-106100, ASA-4-106102, ASA-4-106103
"log_message", "%{CISCOFW106100_2_3 access-list}",
# # ASA-5-106100
"log_message", "%{CISCOFW106100}",
# # ASA-5-304001
"log_message", "%{CISCOFW304001}",
# # ASA-6-110002
"log_message", "%{CISCOFW110002}",
# # ASA-6-302010
"log_message", "%{CISCOFW302010}",
# # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
"log_message", "%{CISCOFW302013_302014_302015_302016}",
# # ASA-6-302020, ASA-6-302021
"log_message", "%{CISCOFW302020_302021}",
# # ASA-6-305011
"log_message", "%{CISCOFW305011}",
# # ASA-3-313001, ASA-3-313004, ASA-3-313008
"log_message", "%{CISCOFW313001_313004_313008}",
# # ASA-4-313005
"log_message", "%{CISCOFW313005}",
# # ASA-5-321001
"log_message", "%{CISCOFW321001}",
# # ASA-4-402117
"log_message", "%{CISCOFW402117}",
# # ASA-4-402119
"log_message", "%{CISCOFW402119}",
# # ASA-4-419001
"log_message", "%{CISCOFW419001}",
# # ASA-4-419002
"log_message", "%{CISCOFW419002}",
# # ASA-4-500004
"log_message", "%{CISCOFW500004}",
# # ASA-6-602303, ASA-6-602304
"log_message", "%{CISCOFW602303_602304}",
"log_message", "%{CISCOFW713172}",
# # ASA-4-733100
"log_message", "%{CISCOFW733100}",
# 106023
"log_message", "%{CISCO_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{DATA:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]",
# 201013
"log_message", "Per-client connection limit exceeded %{DATA:connections_use}\/%{DATA:connections_max_use} for output packet from %{IP:src_ip}\/%{INT:src_port} to %{IP:dst_ip}\/%{INT:dst_port} on interface %{DATA:src_interface}",
# 210007
"log_message", "LU allocate xlate %{DATA:action} for dynamic-nat TCP translation from %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} \(%{IP}\/%{DATA}\) to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port} \(%{IP}\/%{DATA}\)",
# 313005
"log_message", "%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?",
# 419002
"log_message", "Duplicate TCP SYN from %{DATA:src_interface}:%{IP:src_ip}\/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}\/%{INT:dst_port} with different initial sequence number",
# 713902
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, %{GREEDYDATA}!",
# 713903
"log_message", "IP = %{IP:src_ip}, %{GREEDYDATA:error_message}, %{GREEDYDATA}\! \(%{GREEDYDATA}\)",
# 113009
"log_message", "%{DATA:aaa} retrieved default group policy \(%{DATA:group_policy}\) for user = %{IPORHOST:username}",
# 113019
"log_message", "Group = %{IPORHOST:vpn_group}, Username = %{IPORHOST:username}, IP = %{IP:src_ip}, Session %{DATA:vpn_session}. Session Type: %{DATA:vpn_session_type}, Duration: %{DATA:vpn_session_duration}s, Bytes xmt: %{DATA:vpn_received}, Bytes rcv: %{DATA:vpn_transmitted}, Reason: %{GREEDYDATA:vpn_session_end_reason}",
# 713903
"log_message", "Group = %{DATA:group_policy}, IP = %{IP:src_ip}, %{DATA:status}, +%{GREEDYDATA}",
# 713061
"log_message", "Group = %{DATA:vpn_group}, IP = %{IP:src_ip}, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy %{IP:remote_net}\/%{IP:remote_net_mask}\/%{INT}\/%{INT} local proxy",
# HP
"log_message", "Notice-Type=\'%{DATA:notice_type}\',Event-ID=\'%{INT:event_id}\',Config-Method=\'%{DATA:config_method}\',Device-Name=\'%{DATA:hostname}\',User-Name=\'%{DATA:username}\',Remote-IP-Address=\'%{IP:src_ip}\'",
# ICX
# Interface
"log_message", "Interface %{DATA:interface_type} %{DATA:interface_num}, state %{GREEDYDATA:interface_state}",
#VLAN
"log_message", "VLAN %{DATA:vlan_id} Port %{DATA:interface_num} STP State -> %{DATA:STP_state} \(%{DATA:STP_changereason}\)",
# MLX
# BGP Peer
"log_message", "Peer \(VRF: +%{DATA:vrf}\) %{IP:peer_ip} %{DATA:bgp_session} \(%{GREEDYDATA:bgp_status}\)",
# Loadbalancer
"log_message", "%{IP:src_ip} - %{DATA:username} \[%{GREEDYDATA}\] \"\/%{DATA}\/%{DATA}\/%{DATA:security_audit}\/%{GREEDYDATA}\" %{INT} %{INT}",
"log_message", "CMD (%{GREEDYDATA})",
# Catchall
"log_message", "%{GREEDYDATA:log_catchall}"
]
}
} # End log_message filtern und markieren
# WLC Messages feiner filtern
if [wlc_message_id] {
grok {
match => [
"log_message", "%{DATA:wlc_program}:%{INT:wlc_program_num} +%{GREEDYDATA}",
"log_message", "%{GREEDYDATA:log_wlc_message}"
]
}
if [log_catchall] {
mutate {
remove_field => [ "log_catchall" ]
}
}
} # END WLC Messages feiner filtern
# Loadbalancer Messages nicht weiter filtern
if [sysloghost] == "xxx" or [sysloghost] == "xxx" {
if [log_catchall] {
mutate {
remove_field => [ "log_catchall" ]
}
}
} # END Loadbalancer Messages nicht weiter filtern
# session status anpassen
if [session_status] {
translate {
dictionary => [
"Successful", "login",
"successful", "login",
"Success", "login",
"success", "login",
"Closed", "logout",
"closed", "logout",
"Exited", "logout",
"exited", "logout",
"terminated", "logout",
"stop", "logout",
"Failed", "failed",
"failed", "failed",
"Failure", "failed",
"failure", "failed",
"rejected", "failed",
"Modified", "login",
"modified", "login",
"Succeeded", "login",
"succeeded", "login",
"start", "login",
"New", "login",
"new", "login",
"Authenticated", "login",
"authenticated", "login"
]
field => "session_status"
destination => "session_status"
override => true
}
} # end session status anpassen
} # if [type]
}
output {
if [session_status] {
pipeline {
send_to => [ "_10050-nw-downstream_p061" ]
}
}
elasticsearch {
hosts => [ "xxx03:9200", "xxx04:9200", "xxxdb05:9200" ]
ssl => true
cacert => "/etc/logstash/certs/xxxb07.xxx.ca.crt"
index => "nw-xal-logs-syslog-10000-%{+YYYY.MM.dd}"
user => "xxx"
password => "xxx"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment