Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- filter {
- if "PFSense" in [tags] {
- grok {
- add_tag => [ "firewall" ]
- match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
- }
- mutate {
- gsub => ["datetime"," "," "]
- }
- date {
- match => [ "datetime", "MMM dd HH:mm:ss" ]
- timezone => "Europe/Zurich"
- }
- mutate {
- replace => [ "message", "%{msg}" ]
- }
- mutate {
- remove_field => [ "msg", "datetime" ]
- }
- }
- if [prog] =~ /^filterlog$/ {
- mutate {
- remove_field => [ "msg", "datetime" ]
- }
- grok {
- patterns_dir => "/etc/logstash/conf.d/patterns"
- match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
- "message", "%{PFSENSE_IPv4_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
- "message", "%{PFSENSE_IPv6_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA_IPv6}"]
- }
- mutate {
- lowercase => [ 'proto' ]
- }
- geoip {
- add_tag => [ "GeoIP" ]
- source => "src_ip"
- # Optional GeoIP database
- # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix
- database => "/etc/logstash/GeoLite2-City.mmdb"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
