Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Allow Graylog to understand Cisco FMC syslogs
{
"extractors": [
{
"title": "FMC - Default Fields",
"extractor_type": "grok",
"converters": [],
"order": 15,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{WORD:field}: Protocol: %{WORD:protocol}, SrcIP: %{IP:Source_IP}, OriginalClientIP: ::, DstIP: %{IP:Destination_IP}, SrcPort: %{INT:src_port}, DstPort: %{INT:dest_port}, TCPFlags: %{WORD:flags}, IngressZone: %{HOSTNAME:ingress_zone}, EgressZone: %{HOSTNAME:egress_zone}, DE: %{DATA:detect_engine}, Policy: %{DATA:policy}, ConnectType: %{WORD:connectType}, AccessControlRuleName: %{DATA:ACLRuleName}, AccessControlRuleAction: %{DATA:ACLRuleAction},",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "( SFIMS:)"
}
],
"version": "2.4.6"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.