Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.38.125"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.38.253"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.52.125"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"193.162.153.164"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"194.239.134.83"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"31.13.72.36"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"194.239.134.83"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"193.162.153.164"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
- [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"85.129.0.126"}
- input {
- beats {
- port => 5044
- type => zywall
- }
- }
- filter {
- if [type] == "zywall" {
- grok {
- pattern_definitions => {
- "NOTCOMMA" => "[^,]*"
- "NOTPIPE" => "[^\|]*"
- "FW_MSGBLOCK" => "[^\|]+"
- "FW_HEADER" => "%{NOTPIPE}\|%{NOTPIPE:[zyxel][manufacturer]}\|%{NOTPIPE:[zyxel][model]}\|%{NOTPIPE}\|%{NOTPIPE:[zyxel][referenceid]}\|%{NOTPIPE:[zyxel][category]}\|%{NOTPIPE:[zyxel][type]}\|"
- "FW_SRC__DPT" => "src=%{IPV4:[zyxel][src]:ip} dst=%{IPV4:[zyxel][dst]:ip} spt=%{NUMBER:[zyxel][spt]} dpt=%{NUMBER:[zyxel][dpt]}"
- "ESP_SEND_RECV" => "(Recv|Send)"
- "DHCP_ASSIGN" => "DHCP %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} to \(%{MAC:[zyxel][dhcp][client_mac]}\)"
- "DHCP_OFFER" => "DHCP server %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} to \(%{MAC:[zyxel][dhcp][client_mac]}\)"
- "DHCP_RESPONSE" => "Sending %{WORD:[zyxel][dhcp][type]} to %{IPV4:[zyxel][dhcp][client_ip]:ip}"
- "DHCP_RELEASE" => "DHCP %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} with \(%{MAC:[zyxel][dhcp][client_mac]}\)"
- "DHCP_REQUEST" => "%{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} from \(%{MAC:[zyxel][dhcp][client_mac]}\)"
- "FW_TRAFFICLINE" => "msg=Traffic Log duration=%{NUMBER:[zyxel][traffic][duration]} out=%{NUMBER:[zyxel][traffic][outbytes]} in=%{NUMBER:[zyxel][traffic][inbytes]} proto=%{NUMBER:[zyxel][traffic][proto]} app=%{GREEDYDATA:[zyxel][traffic][app]}"
- "FW_INTERFACELINE" => "msg=name=%{NOTCOMMA:[zyxel][iface][name]},status=%{NOTCOMMA:[zyxel][iface][status]},TxPkts=%{NUMBER:[zyxel][iface][txpkts]:double},RxPkts=%{NUMBER:[zyxel][iface][rxpkts]:double},Colli.=%{NUMBER:[zyxel][iface][collisions]:double},TxB/s=%{NUMBER:[zyxel][iface][tx]:double},RxB/s=%{NUMBER:[zyxel][iface][rx]:double}"
- "FW_MONITORLINE" => "msg=cpu=%{NUMBER:[zyxel][monitoring][utilization]:int},memory=%{NUMBER:[zyxel][monitoring][memory]:int},sessions=%{NUMBER:[zyxel][monitoring][sessions]:int},uptime=%{GREEDYDATA:[zyxel][monitoring][uptime]}"
- "FW_OTHERLINE" => "msg=%{GREEDYDATA:[zyxel][misc][message]}Action: %{GREEDYDATA:[zyxel][misc][action]} Severity: %{NOTSPACE:[zyxel][misc][severity]} act=%{GREEDYDATA:[zyxel][misc][event]}"
- "FW_ESPLINE" => "msg={ESP_SEND_RECV:[zyxel][ike][espdirection]}:%{GREEDYDATA:[zyxel][ike][espchatter]}"
- "FW_DHCPLINE" => "msg=(?:%{DHCP_ASSIGN}|%{DHCP_OFFER}|%{DHCP_RESPONSE}|%{DHCP_RELEASE}|%{DHCP_REQUEST})"
- "FW_ACLLINE" => "msg=priority:%{NUMBER:[zyxel][acl][priority]:int}, %{NOTCOMMA:[zyxel][acl][rule>}, %{NOTCOMMA:[zyxel][acl][proto]}, service %{NOTCOMMA:[zyxel][acl][service]}, %{NOTSPACE:(zyxel][acl][action]}"
- "FW_LIMITLINE" => "\(%{NUMBER:[zyxel][acl][session_limit]:int}\)"
- "FW_USERLINE1" => "msg=%{WORD:[zyxel][user][role]} %{WORD:[zyxel][user][name]} from %{NOTSPACE:[zyxel][user][client]} has logged %{WORD:[zyxel][user][logintype]} %{WORD:[zyxel][user][realm]}"
- "FW_USERLINE2" => "msg=Failed login attempt to %{WORD:[zyxel][user][realm]} from %{NOTSPACE:[zyxel][user][client]}"
- "FW_USERLINE" =>"(?:%{FW_USERLINE1}|%{FW_USERLINE2})"
- "FW_LINEALL" => "(?:%{FW_TRAFFICLINE}|%{FW_INTERFACELINE}|%{FW_MONITORLINE}|%{FW_OTHERLINE}|%{FW_ESPLINE}|%{FW_DHCPLINE}|%{FW_ACLLINE}|%{FW_LIMITLINE}|%{FW_USERLINE})"
- "ZYWALL_LINE" => "%{FW_HEADER}%{FW_SRC__DPT} %{FW_LINEALL}"
- }
- break_on_match => false
- match => {
- "[message]" => "%{SYSLOGTIMESTAMP:[syslog][timestamp]} %{SYSLOGHOST:[syslog][hostname]} %{DATA:[syslog][program]}: %{GREEDYDATA:[syslog][message]}"
- "[syslog][message]" => "%{FW_HEADER}%{FW_SRC__DPT} %{GREEDYDATA:[zyxel][message]}"
- "[zyxel][message]" => "%{FW_LINEALL}"
- }
- add_field => [ "[received_at]", "%{@timestamp}" ]
- add_field => [ "[received_from]", "%{host}" ]
- remove_field => [ "[syslog][message]" ]
- }
- if ([zyxel][user][realm] and ![zyxel][user][logintype]) {
- mutate {
- add_field => [ "[zyxel][user][logintype]", "failed" ]
- }
- }
- if ([zyxel][src] =~ /^192.168.6./) {
- drop { percentage => 85 }
- }
- date {
- match => [ "[syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- }
- if ([[zyxel][src] =~ /.+/) and !([[zyxel][src] =~ /^(192.168|0.0|10.0|172.16)/) {
- geoip {
- source => "[zyxel][src]"
- target => "[zyxel][src_geoip]"
- }
- mutate {
- add_field => ["[zyxel][src_fqdn]" , "%{[zyxel][src]}"]
- }
- if ([[zyxel][src_fqdn] =~ /.+/) {
- # assert fqdn
- dns {
- reverse => [ "[zyxel][src_fqdn]" ]
- hit_cache_ttl => 480
- hit_cache_size => 500
- action => "replace"
- }
- }
- } # endif external src #
- if ([zyxel][dst] =~ /.+/) and !([[zyxel][dst] =~ /^(192.168|0.0|10.0|172.16)/) {
- geoip {
- source => "[zyxel][dst]"
- target => "[zyxel][dst_geoip]"
- }
- mutate {
- add_field => ["[zyxel][dst_fqdn]" , "%{[zyxel][dst]}"]
- }
- if ([[zyxel][dst_fqdn] =~ /.+/) {
- # assert fqdn
- dns {
- reverse => [ "[zyxel][dst_fqdn]" ]
- hit_cache_ttl => 480
- hit_cache_size => 500
- action => "replace"
- }
- }
- } # endif external dst #
- } # endif type:zywall #
- else {
- grok { match => { "message" => "%{NAGIOSLOGLINE}" } }
- }
- }
- output {
- elasticsearch {
- hosts => [ "172.16.0.1:9200", "172.16.0.2:9200" ]
- user => elastic
- password => changeme
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement