clay584/logstash_asa_parser

## logstash_asa_parser
#parse ASA log
      grok {
        patterns_dir => "/opt/logstash/logstash-1.4.0/patterns"
        break_on_match => false
        match => [ "raw_message", "%{CISCOFACSEVMNEM} %{WORD:Action} %{WORD:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress}\/%{POSINT:SourcePort} dst %{WORD:DestinationZone}:%{IP:DestinationAddress}\/%{POSINT:DestinationPort} by access-group \"%{NOTSPACE:rule}\"%{GREEDYDATA}",
                   "raw_message", "%{CISCOFACSEVMNEM} %{WORD:Action} %{IPPROTOCOL:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress} dst %{WORD:DestinationZone}:%{IP:DestinationAddress} %{DATA:icmp_type_code} by access-group \"%{WORD:Rule}\"%{GREEDYDATA}",
                   "raw_message", "%{CISCOFACSEVMNEM} %{GREEDYDATA:description}" ]
      }
      mutate {
        remove_field => [ "message", "raw_message" ]
        add_field => [ "Application", "asa_unknown" ]
        lowercase => [ "Action" ]
      }
	#parse ASA log
	grok {
	patterns_dir => "/opt/logstash/logstash-1.4.0/patterns"
	break_on_match => false
	match => [ "raw_message", "%{CISCOFACSEVMNEM} %{WORD:Action} %{WORD:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress}\/%{POSINT:SourcePort} dst %{WORD:DestinationZone}:%{IP:DestinationAddress}\/%{POSINT:DestinationPort} by access-group \"%{NOTSPACE:rule}\"%{GREEDYDATA}",
	"raw_message", "%{CISCOFACSEVMNEM} %{WORD:Action} %{IPPROTOCOL:IPProtocol} src %{WORD:SourceZone}:%{IP:SourceAddress} dst %{WORD:DestinationZone}:%{IP:DestinationAddress} %{DATA:icmp_type_code} by access-group \"%{WORD:Rule}\"%{GREEDYDATA}",
	"raw_message", "%{CISCOFACSEVMNEM} %{GREEDYDATA:description}" ]
	}
	mutate {
	remove_field => [ "message", "raw_message" ]
	add_field => [ "Application", "asa_unknown" ]
	lowercase => [ "Action" ]
	}