fatmcgav/bigip-f5.patterns

## bigip-f5.patterns
# F5 Logstash Grok patterns

# F5 Fields
VHOST %{IPORHOST:url}:\s?%{POSINT:port}
VIRTSERVER ((?:\/?[\w\.\-]+){2,4}(?:\s?\d*)?)
F5DATE %{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}
SSL_CIPHER (?:[\w\-]*)
SSL_VERSION (?:[\w\-\.]*)
SSL_BITS (?:\d{2,4})
SSL_DN (?:[\w]{1,2}=[\w\s]*,?)
SSL_SERIAL (?:[\w]{1,2})

# F5 Patterns
F5_BASE %{VHOST:vhost} %{IP:clientip} %{WORD:httpmethod} '%{URIPATHPARAM:request}' HTTP/%{NUMBER:httpversion} %{QS:useragent} %{QS:referrer} %{F5DATE:requesttimestamp} %{NUMBER:requestsize} %{NUMBER:reqeustelapsedtime} %{IPORHOST:nodeip}:%{POSINT:nodeport} %{NUMBER:responsecode} %{F5DATE:responsetimestamp} %{NUMBER:responsesize} %{VIRTSERVER:virtualserver}
F5_SSL %{SSL_CIPHER:sslcipher} %{SSL_VERSION:sslversion} %{SSL_BITS:sslbits}
F5_SSL_CLIENT %{QS:ssldn} %{SSL_SERIAL:sslserial}

## logstash.conf
input {
  tcp {
    type => "f5-access"
    port => 3333
  }
  udp {
    type => "f5-access"
    port => 3333
  }
}

filter {

  if [type] == "f5-access" {
    mutate {
      gsub => ['message', "\|", " "]
    }
    mutate {
      gsub => ["message","\"","'"]
    }

    grok {
      patterns_dir => '/etc/logstash/patterns'
      match => [
        "message", "%{F5_BASE} %{F5_SSL} %{F5_SSL_CLIENT}%{GREEDYDATA:message_remainder}",
        "message", "%{F5_BASE} %{F5_SSL}%{GREEDYDATA:message_remainder}",
        "message", "%{F5_BASE}%{GREEDYDATA:message_remainder}"
      ]
      remove_field => [ "message" ]
    }

    # Use the correct timestamp field
    date {
      match => [ "requesttimestamp", 'YYYY/MM/dd HH:mm:ss' ]
    }

    # Computer UserAgent
    if [useragent] != "-" and [useragent] != "" {
      useragent {
        add_tag => [ "UA" ]
        source => "useragent"
      }
    }

    if "UA" in [tags] {
      if [device] == "Other" { mutate { remove_field => "device" } }
      if [name]   == "Other" { mutate { remove_field => "name" } }
      if [os]     == "Other" { mutate { remove_field => "os" } }
    }

    # GeoIP
    geoip {
      source => "clientip"
    }
  }
}
	# F5 Logstash Grok patterns

	# F5 Fields
	VHOST %{IPORHOST:url}:\s?%{POSINT:port}
	VIRTSERVER ((?:\/?[\w\.\-]+){2,4}(?:\s?\d*)?)
	F5DATE %{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME}
	SSL_CIPHER (?:[\w\-]*)
	SSL_VERSION (?:[\w\-\.]*)
	SSL_BITS (?:\d{2,4})
	SSL_DN (?:[\w]{1,2}=[\w\s]*,?)
	SSL_SERIAL (?:[\w]{1,2})

	# F5 Patterns
	F5_BASE %{VHOST:vhost} %{IP:clientip} %{WORD:httpmethod} '%{URIPATHPARAM:request}' HTTP/%{NUMBER:httpversion} %{QS:useragent} %{QS:referrer} %{F5DATE:requesttimestamp} %{NUMBER:requestsize} %{NUMBER:reqeustelapsedtime} %{IPORHOST:nodeip}:%{POSINT:nodeport} %{NUMBER:responsecode} %{F5DATE:responsetimestamp} %{NUMBER:responsesize} %{VIRTSERVER:virtualserver}
	F5_SSL %{SSL_CIPHER:sslcipher} %{SSL_VERSION:sslversion} %{SSL_BITS:sslbits}
	F5_SSL_CLIENT %{QS:ssldn} %{SSL_SERIAL:sslserial}
	input {
	tcp {
	type => "f5-access"
	port => 3333
	}
	udp {
	type => "f5-access"
	port => 3333
	}
	}

	filter {

	if [type] == "f5-access" {
	mutate {
	gsub => ['message', "\\|", " "]
	}
	mutate {
	gsub => ["message","\"","'"]
	}

	grok {
	patterns_dir => '/etc/logstash/patterns'
	match => [
	"message", "%{F5_BASE} %{F5_SSL} %{F5_SSL_CLIENT}%{GREEDYDATA:message_remainder}",
	"message", "%{F5_BASE} %{F5_SSL}%{GREEDYDATA:message_remainder}",
	"message", "%{F5_BASE}%{GREEDYDATA:message_remainder}"
	]
	remove_field => [ "message" ]
	}

	# Use the correct timestamp field
	date {
	match => [ "requesttimestamp", 'YYYY/MM/dd HH:mm:ss' ]
	}

	# Computer UserAgent
	if [useragent] != "-" and [useragent] != "" {
	useragent {
	add_tag => [ "UA" ]
	source => "useragent"
	}
	}

	if "UA" in [tags] {
	if [device] == "Other" { mutate { remove_field => "device" } }
	if [name] == "Other" { mutate { remove_field => "name" } }
	if [os] == "Other" { mutate { remove_field => "os" } }
	}

	# GeoIP
	geoip {
	source => "clientip"
	}
	}
	}