Last active
October 11, 2016 08:44
-
-
Save predictiple/f118ae804518612f53b2bdb29077b840 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################################################ | |
## | |
## file name: qradar2graylog.nxlog | |
## | |
## purpose: parser / configuration file that tells nxlog how to read | |
## qradar csv exports and put them into graylog via gelf | |
## | |
## notes: expects these *exact* fields in the qradar csv export: | |
## Start Time | |
## Log Source | |
## payloadAsUTF | |
## payloadAsHexOneLine | |
## payloadAsBase64 | |
## | |
## date: 2016-10-11 | |
## author: https://github.com/predictiple | |
## | |
################################################################################ | |
## Global directives | |
######################################## | |
define IN_FILE test_qradar_input.csv | |
define OUT_FILE test_qradar_output.json | |
# /dev/null in case you want to see output in terminal | |
# but don't want logs filling up your hard drive | |
LogFile /dev/null | |
# or maybe you do want that? | |
#LogFile ./test_debug.log | |
LogLevel INFO | |
SuppressRepeatingLogs FALSE | |
NoCache TRUE | |
## Modules | |
######################################## | |
<Extension kvp> | |
Module xm_kvp | |
KVDelimiter = | |
KVPDelimiter \t | |
#EscapeChar \\ | |
EscapeControl FALSE | |
</Extension> | |
<Extension json> | |
Module xm_json | |
</Extension> | |
<Extension fo> | |
Module xm_fileop | |
</Extension> | |
<Extension gelf> | |
Module xm_gelf | |
</Extension> | |
<Input file_in> | |
Module im_file | |
File '%IN_FILE%' | |
SavePos FALSE | |
ReadFromLast FALSE | |
# next line kept for troubleshooting | |
# Exec log_info($raw_event); | |
<Exec> | |
# drop empty lines | |
if $raw_event =~ /^\s*$/ drop(); | |
# drop events that don't start with "MMM | |
if $raw_event !~ /^\"\w{3}\s/ drop(); | |
# pseudo csv parser (which discards everything after UTF payload) | |
if $raw_event =~ /^\"(.+)\",(.+),\"*(<.+)\"*,.*$/ | |
{ | |
$Start_Time = $1; \ | |
$Log_Source = $2; \ | |
$payloadAsUTF = $3; | |
} | |
# pull out some fields from payloadAsUTF field | |
if $payloadAsUTF =~ /^<\d{3}>(\w{3}\s\d\d\s\d\d:\d\d:\d\d)\s(.+?)\sLEEF:1.0\|Websense\|Security\|7.8.4\|transaction:(\w+)\|(.*)$/ | |
{ | |
$EventTime = parsedate($1); \ | |
$ProxyIP = $2; \ | |
$Transaction = $3; \ | |
$UTFpayload = $4; \ | |
$UTFpayload =~ s/\"//g; \ | |
kvp->parse_kvp($UTFpayload); \ | |
# reformat some fields | |
$EventReceivedTime = strptime($Start_Time, '%b %d, %Y, %I:%M:%S %p'); \ | |
$Log_Source = '%IN_FILE%'; \ | |
if $usrName =~ /LDAP.*\/(.*)$/ | |
{ | |
$usrName = replace($1, '\', ''); | |
} | |
# get rid of residual escape characters in url field | |
$url = replace($url, '\', ''); | |
# clean up the url a bit | |
if $url =~ /^(.*),.*/ | |
{ $url = $1; } | |
# delete all the unwanted fields | |
delete($Start_Time); \ | |
delete($payloadAsHexOneLine); \ | |
delete($payloadAsBase64); \ | |
delete($payloadAsUTF); \ | |
delete($UTFpayload); \ | |
delete($SourceModuleName); \ | |
delete($SourceModuleType); \ | |
delete($other); \ | |
} | |
</Exec> | |
</Input> | |
<Output file_out> | |
Module om_file | |
File '%OUT_FILE%' | |
# don't overwrite ouptput - keep 3 files | |
Exec file_cycle('%OUT_FILE%', 3); | |
Exec to_json(); | |
</Output> | |
<Output graylog2> | |
Module om_tcp | |
Host 127.0.0.1 | |
Port 12201 | |
OutputType GELF_TCP | |
Exec to_json(); | |
</Output> | |
## Routes | |
######################################## | |
<Route 1> | |
Path file_in => graylog2 | |
</Route> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment