predictiple/qradar2graylog.conf

## qradar2graylog.conf
################################################################################
##
## file name: qradar2graylog.nxlog
##
## purpose:   parser / configuration file that tells nxlog how to read
##            qradar csv exports and put them into graylog via gelf
##
## notes:     expects these *exact* fields in the qradar csv export:
##                Start Time
##                Log Source
##                payloadAsUTF
##                payloadAsHexOneLine
##                payloadAsBase64
##
## date:      2016-10-11
## author:    https://github.com/predictiple
##
################################################################################

## Global directives
########################################

define  IN_FILE test_qradar_input.csv
define  OUT_FILE test_qradar_output.json
# /dev/null in case you want to see output in terminal
# but don't want logs filling up your hard drive
LogFile /dev/null
# or maybe you do want that?
#LogFile ./test_debug.log
LogLevel INFO
SuppressRepeatingLogs FALSE
NoCache TRUE

##  Modules
########################################

<Extension kvp>
    Module       xm_kvp
    KVDelimiter  =
    KVPDelimiter \t
    #EscapeChar   \\
    EscapeControl   FALSE
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Extension fo>
    Module      xm_fileop
</Extension>

<Extension gelf>
    Module       xm_gelf
</Extension>

<Input file_in>
    Module  im_file
    File    '%IN_FILE%'
    SavePos FALSE
    ReadFromLast FALSE
    # next line kept for troubleshooting
    # Exec log_info($raw_event);
    <Exec>
        # drop empty lines
        if $raw_event =~ /^\s*$/ drop();
        # drop events that don't start with "MMM
        if $raw_event !~ /^\"\w{3}\s/ drop();
        # pseudo csv parser (which discards everything after UTF payload)
        if $raw_event =~ /^\"(.+)\",(.+),\"*(<.+)\"*,.*$/
        {
            $Start_Time = $1; \
            $Log_Source = $2; \
            $payloadAsUTF = $3;
        }
        # pull out some fields from payloadAsUTF field
        if $payloadAsUTF =~ /^<\d{3}>(\w{3}\s\d\d\s\d\d:\d\d:\d\d)\s(.+?)\sLEEF:1.0\|Websense\|Security\|7.8.4\|transaction:(\w+)\|(.*)$/
        {
            $EventTime = parsedate($1); \
            $ProxyIP = $2; \
            $Transaction = $3; \
            $UTFpayload = $4; \
            $UTFpayload =~ s/\"//g; \
            kvp->parse_kvp($UTFpayload); \
            # reformat some fields
            $EventReceivedTime = strptime($Start_Time, '%b %d, %Y, %I:%M:%S %p'); \
            $Log_Source = '%IN_FILE%'; \
            if $usrName =~ /LDAP.*\/(.*)$/
            {
                $usrName = replace($1, '\', '');
            }
            # get rid of residual escape characters in url field
            $url = replace($url, '\', '');
            # clean up the url a bit
            if $url =~ /^(.*),.*/
            { $url = $1; }
            # delete all the unwanted fields
            delete($Start_Time); \
            delete($payloadAsHexOneLine); \
            delete($payloadAsBase64); \
            delete($payloadAsUTF); \
            delete($UTFpayload); \
            delete($SourceModuleName); \
            delete($SourceModuleType); \
            delete($other); \
        }
    </Exec>
</Input>

<Output file_out>
    Module  om_file
    File    '%OUT_FILE%'
    # don't overwrite ouptput - keep 3 files
    Exec    file_cycle('%OUT_FILE%', 3);
    Exec    to_json();
</Output>

<Output graylog2>
    Module      om_tcp
    Host        127.0.0.1
    Port        12201
    OutputType  GELF_TCP
    Exec        to_json();
</Output>

##  Routes
########################################

<Route 1>
    Path	file_in => graylog2
</Route>
	################################################################################
	##
	## file name: qradar2graylog.nxlog
	##
	## purpose: parser / configuration file that tells nxlog how to read
	## qradar csv exports and put them into graylog via gelf
	##
	## notes: expects these exact fields in the qradar csv export:
	## Start Time
	## Log Source
	## payloadAsUTF
	## payloadAsHexOneLine
	## payloadAsBase64
	##
	## date: 2016-10-11
	## author: https://github.com/predictiple
	##
	################################################################################

	## Global directives
	########################################

	define IN_FILE test_qradar_input.csv
	define OUT_FILE test_qradar_output.json
	# /dev/null in case you want to see output in terminal
	# but don't want logs filling up your hard drive
	LogFile /dev/null
	# or maybe you do want that?
	#LogFile ./test_debug.log
	LogLevel INFO
	SuppressRepeatingLogs FALSE
	NoCache TRUE

	## Modules
	########################################

	<Extension kvp>
	Module xm_kvp
	KVDelimiter =
	KVPDelimiter \t
	#EscapeChar \\
	EscapeControl FALSE
	</Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Extension fo>
	Module xm_fileop
	</Extension>

	<Extension gelf>
	Module xm_gelf
	</Extension>

	<Input file_in>
	Module im_file
	File '%IN_FILE%'
	SavePos FALSE
	ReadFromLast FALSE
	# next line kept for troubleshooting
	# Exec log_info($raw_event);
	<Exec>
	# drop empty lines
	if $raw_event =~ /^\s*$/ drop();
	# drop events that don't start with "MMM
	if $raw_event !~ /^\"\w{3}\s/ drop();
	# pseudo csv parser (which discards everything after UTF payload)
	if $raw_event =~ /^\"(.+)\",(.+),\"(<.+)\",.*$/
	{
	$Start_Time = $1; \
	$Log_Source = $2; \
	$payloadAsUTF = $3;
	}
	# pull out some fields from payloadAsUTF field
	if $payloadAsUTF =~ /^<\d{3}>(\w{3}\s\d\d\s\d\d:\d\d:\d\d)\s(.+?)\sLEEF:1.0\\|Websense\\|Security\\|7.8.4\\|transaction:(\w+)\\|(.*)$/
	{
	$EventTime = parsedate($1); \
	$ProxyIP = $2; \
	$Transaction = $3; \
	$UTFpayload = $4; \
	$UTFpayload =~ s/\"//g; \
	kvp->parse_kvp($UTFpayload); \
	# reformat some fields
	$EventReceivedTime = strptime($Start_Time, '%b %d, %Y, %I:%M:%S %p'); \
	$Log_Source = '%IN_FILE%'; \
	if $usrName =~ /LDAP.\/(.)$/
	{
	$usrName = replace($1, '\', '');
	}
	# get rid of residual escape characters in url field
	$url = replace($url, '\', '');
	# clean up the url a bit
	if $url =~ /^(.),./
	{ $url = $1; }
	# delete all the unwanted fields
	delete($Start_Time); \
	delete($payloadAsHexOneLine); \
	delete($payloadAsBase64); \
	delete($payloadAsUTF); \
	delete($UTFpayload); \
	delete($SourceModuleName); \
	delete($SourceModuleType); \
	delete($other); \
	}
	</Exec>
	</Input>

	<Output file_out>
	Module om_file
	File '%OUT_FILE%'
	# don't overwrite ouptput - keep 3 files
	Exec file_cycle('%OUT_FILE%', 3);
	Exec to_json();
	</Output>

	<Output graylog2>
	Module om_tcp
	Host 127.0.0.1
	Port 12201
	OutputType GELF_TCP
	Exec to_json();
	</Output>

	## Routes
	########################################

	<Route 1>
	Path file_in => graylog2
	</Route>