Allow Graylog to understand Cisco FMC syslogs
| { | |
| "extractors": [ | |
| { | |
| "title": "FMC - Default Fields", | |
| "extractor_type": "grok", | |
| "converters": [], | |
| "order": 15, | |
| "cursor_strategy": "copy", | |
| "source_field": "message", | |
| "target_field": "", | |
| "extractor_config": { | |
| "grok_pattern": "%{WORD:field}: Protocol: %{WORD:protocol}, SrcIP: %{IP:Source_IP}, OriginalClientIP: ::, DstIP: %{IP:Destination_IP}, SrcPort: %{INT:src_port}, DstPort: %{INT:dest_port}, TCPFlags: %{WORD:flags}, IngressZone: %{HOSTNAME:ingress_zone}, EgressZone: %{HOSTNAME:egress_zone}, DE: %{DATA:detect_engine}, Policy: %{DATA:policy}, ConnectType: %{WORD:connectType}, AccessControlRuleName: %{DATA:ACLRuleName}, AccessControlRuleAction: %{DATA:ACLRuleAction},", | |
| "named_captures_only": true | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "( SFIMS:)" | |
| } | |
| ], | |
| "version": "2.4.6" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment