elasticsearchgrokgraylog

Log Firewall Checkpoint Grok graylog


I am new to this and I want to parse the following log for a checkpoint firewall, I don't know if you can help me or guide me how I can do it so that I can see separate fields and not a single text

Ejemplo:

....

-5:00 192.168.1.2 Action="accept" UUid="{0x61b22d19,0x4,0xf1137d7f,0xc0000000}" inzone="Internal" outzone="Internal" src="10.207.104.247" dst="10.207.106.9" proto="6" xlatesrc="186.5.16.83" NAT_rulenum="14" NAT_addtnl_rulenum="1" rule="21 (Incoming/Internal)" product="VPN-1 & FireWall-1" service="10050" s_port="38930



%{NUMBER}:00 %{IP} Action=%{QS} UUid=%{QS} inzone=%{QS} outzone=%{QS} src=%{QS} dst=%{QS} proto=%{QS} xlatesrc=%{QS} NAT_rulenum=%{QS} NAT_addtnl_rulenum=%{QS} rule=%{QS} product=%{QS} service=%{QS} s_port=%{QS}

I am trying the next grok but I am not getting what I want.


Solution

  • In the example you provided, a " is missing at the end, otherwise your grok pattern works for me.

    You can add name to the fields so you can easily get them in graylog, for example:

    %{NUMBER}:00 %{IP:ip} Action=%{QS:action} UUid=%{QS:uuid} inzone=%{QS:inzone} outzone=%{QS:outzone} src=%{QS:src} dst=%{QS:dst} proto=%{QS:proto} xlatesrc=%{QS:xlatesrc} NAT_rulenum=%{QS:natrulenum} NAT_addtnl_rulenum=%{QS:nataddtnlrulenum} rule=%{QS:rule} product=%{QS:product} service=%{QS:service} s_port=%{QS:sport}