Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Manual OSSIM GROK log parsing (legacy)
######## ALIENVAULT OSSIM Logs ########################################
if [type] == "ossim-events" {
grok {
patterns_dir => "/elk/logstash-1.5.1/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns"
match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"]
match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_mac_src='%{MAC:idm_mac_src}' device='%{IP:device}'/>"]
match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' username='%{GREEDYDATA:username}' userdata1=%{GREEDYDATA:userdata}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"]
match => [ "message", "<entry id='%{INT:entry_id}' v='%{INT:v}' fdate='%{FDATE:fdate}' date='%{NUMBER:unix_timestamp}' plugin_id='%{NUMBER:plugin_id}' sensor='%{IP:sensor}' src_ip='%{IP:src_ip}' dst_ip='%{IP:dst_ip}' src_port='%{NUMBER:src_port}' dst_port='%{NUMBER:dst_port}' tzone='%{NUMBER:tzone}' datalen='%{NUMBER:datalen}' data='%{GREEDYDATA:data}' plugin_sid='%{NUMBER:plugin_sid}' proto='%{NUMBER:proto}' ctx='%{GREEDYDATA:ctx}' src_host='%{GREEDYDATA:src_host}' dst_host='%{GREEDYDATA:dst_host}' src_net='%{GREEDYDATA:src_net}' dst_net='%{GREEDYDATA:dst_net}' userdata1=%{GREEDYDATA:userdata}' idm_host_src='%{GREEDYDATA:idm_host_src}' idm_host_dst='%{GREEDYDATA:idm_host_dst}' idm_mac_src='%{MAC:idm_mac_src}' idm_mac_dst='%{MAC:idm_mac_dst}' device='%{IP:device}'/>"]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.