API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 3rd, 2017
278
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.90 KB | None | 0 0
raw download clone embed print report
  1. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  2. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  3. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.38.125"}
  4. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  5. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  6. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  7. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  8. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  9. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  10. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  11. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  12. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  13. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  14. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.38.253"}
  15. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"17.253.52.125"}
  16. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
  17. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
  18. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  19. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  20. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  21. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  22. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  23. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  24. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  25. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  26. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  27. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  28. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  29. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  30. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  31. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  32. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  33. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  34. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  35. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"91.239.100.100"}
  36. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  37. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"193.162.153.164"}
  38. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"194.239.134.83"}
  39. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"31.13.72.36"}
  40. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  41. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"194.239.134.83"}
  42. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  43. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"193.162.153.164"}
  44. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  45. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"8.8.8.8"}
  46. [ERROR][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[zyxel][dst_fqdn]", :value=>"85.129.0.126"}
  47.  
  48.  
  49. input {
  50. beats {
  51. port => 5044
  52. type => zywall
  53. }
  54. }
  55.  
  56. filter {
  57. if [type] == "zywall" {
  58.  
  59. grok {
  60. pattern_definitions => {
  61. "NOTCOMMA" => "[^,]*"
  62. "NOTPIPE" => "[^\|]*"
  63. "FW_MSGBLOCK" => "[^\|]+"
  64. "FW_HEADER" => "%{NOTPIPE}\|%{NOTPIPE:[zyxel][manufacturer]}\|%{NOTPIPE:[zyxel][model]}\|%{NOTPIPE}\|%{NOTPIPE:[zyxel][referenceid]}\|%{NOTPIPE:[zyxel][category]}\|%{NOTPIPE:[zyxel][type]}\|"
  65. "FW_SRC__DPT" => "src=%{IPV4:[zyxel][src]:ip} dst=%{IPV4:[zyxel][dst]:ip} spt=%{NUMBER:[zyxel][spt]} dpt=%{NUMBER:[zyxel][dpt]}"
  66. "ESP_SEND_RECV" => "(Recv|Send)"
  67. "DHCP_ASSIGN" => "DHCP %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} to \(%{MAC:[zyxel][dhcp][client_mac]}\)"
  68. "DHCP_OFFER" => "DHCP server %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} to \(%{MAC:[zyxel][dhcp][client_mac]}\)"
  69. "DHCP_RESPONSE" => "Sending %{WORD:[zyxel][dhcp][type]} to %{IPV4:[zyxel][dhcp][client_ip]:ip}"
  70. "DHCP_RELEASE" => "DHCP %{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} with \(%{MAC:[zyxel][dhcp][client_mac]}\)"
  71. "DHCP_REQUEST" => "%{WORD:[zyxel][dhcp][type]} %{IPV4:[zyxel][dhcp][client_ip]:ip} from \(%{MAC:[zyxel][dhcp][client_mac]}\)"
  72. "FW_TRAFFICLINE" => "msg=Traffic Log duration=%{NUMBER:[zyxel][traffic][duration]} out=%{NUMBER:[zyxel][traffic][outbytes]} in=%{NUMBER:[zyxel][traffic][inbytes]} proto=%{NUMBER:[zyxel][traffic][proto]} app=%{GREEDYDATA:[zyxel][traffic][app]}"
  73. "FW_INTERFACELINE" => "msg=name=%{NOTCOMMA:[zyxel][iface][name]},status=%{NOTCOMMA:[zyxel][iface][status]},TxPkts=%{NUMBER:[zyxel][iface][txpkts]:double},RxPkts=%{NUMBER:[zyxel][iface][rxpkts]:double},Colli.=%{NUMBER:[zyxel][iface][collisions]:double},TxB/s=%{NUMBER:[zyxel][iface][tx]:double},RxB/s=%{NUMBER:[zyxel][iface][rx]:double}"
  74. "FW_MONITORLINE" => "msg=cpu=%{NUMBER:[zyxel][monitoring][utilization]:int},memory=%{NUMBER:[zyxel][monitoring][memory]:int},sessions=%{NUMBER:[zyxel][monitoring][sessions]:int},uptime=%{GREEDYDATA:[zyxel][monitoring][uptime]}"
  75. "FW_OTHERLINE" => "msg=%{GREEDYDATA:[zyxel][misc][message]}Action: %{GREEDYDATA:[zyxel][misc][action]} Severity: %{NOTSPACE:[zyxel][misc][severity]} act=%{GREEDYDATA:[zyxel][misc][event]}"
  76. "FW_ESPLINE" => "msg={ESP_SEND_RECV:[zyxel][ike][espdirection]}:%{GREEDYDATA:[zyxel][ike][espchatter]}"
  77. "FW_DHCPLINE" => "msg=(?:%{DHCP_ASSIGN}|%{DHCP_OFFER}|%{DHCP_RESPONSE}|%{DHCP_RELEASE}|%{DHCP_REQUEST})"
  78. "FW_ACLLINE" => "msg=priority:%{NUMBER:[zyxel][acl][priority]:int}, %{NOTCOMMA:[zyxel][acl][rule>}, %{NOTCOMMA:[zyxel][acl][proto]}, service %{NOTCOMMA:[zyxel][acl][service]}, %{NOTSPACE:(zyxel][acl][action]}"
  79. "FW_LIMITLINE" => "\(%{NUMBER:[zyxel][acl][session_limit]:int}\)"
  80. "FW_USERLINE1" => "msg=%{WORD:[zyxel][user][role]} %{WORD:[zyxel][user][name]} from %{NOTSPACE:[zyxel][user][client]} has logged %{WORD:[zyxel][user][logintype]} %{WORD:[zyxel][user][realm]}"
  81. "FW_USERLINE2" => "msg=Failed login attempt to %{WORD:[zyxel][user][realm]} from %{NOTSPACE:[zyxel][user][client]}"
  82. "FW_USERLINE" =>"(?:%{FW_USERLINE1}|%{FW_USERLINE2})"
  83.  
  84. "FW_LINEALL" => "(?:%{FW_TRAFFICLINE}|%{FW_INTERFACELINE}|%{FW_MONITORLINE}|%{FW_OTHERLINE}|%{FW_ESPLINE}|%{FW_DHCPLINE}|%{FW_ACLLINE}|%{FW_LIMITLINE}|%{FW_USERLINE})"
  85. "ZYWALL_LINE" => "%{FW_HEADER}%{FW_SRC__DPT} %{FW_LINEALL}"
  86. }
  87. break_on_match => false
  88. match => {
  89. "[message]" => "%{SYSLOGTIMESTAMP:[syslog][timestamp]} %{SYSLOGHOST:[syslog][hostname]} %{DATA:[syslog][program]}: %{GREEDYDATA:[syslog][message]}"
  90. "[syslog][message]" => "%{FW_HEADER}%{FW_SRC__DPT} %{GREEDYDATA:[zyxel][message]}"
  91. "[zyxel][message]" => "%{FW_LINEALL}"
  92. }
  93. add_field => [ "[received_at]", "%{@timestamp}" ]
  94. add_field => [ "[received_from]", "%{host}" ]
  95. remove_field => [ "[syslog][message]" ]
  96. }
  97. if ([zyxel][user][realm] and ![zyxel][user][logintype]) {
  98. mutate {
  99. add_field => [ "[zyxel][user][logintype]", "failed" ]
  100. }
  101. }
  102. if ([zyxel][src] =~ /^192.168.6./) {
  103. drop { percentage => 85 }
  104. }
  105.  
  106. date {
  107. match => [ "[syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
  108. }
  109. if ([[zyxel][src] =~ /.+/) and !([[zyxel][src] =~ /^(192.168|0.0|10.0|172.16)/) {
  110. geoip {
  111. source => "[zyxel][src]"
  112. target => "[zyxel][src_geoip]"
  113. }
  114. mutate {
  115. add_field => ["[zyxel][src_fqdn]" , "%{[zyxel][src]}"]
  116. }
  117. if ([[zyxel][src_fqdn] =~ /.+/) {
  118. # assert fqdn
  119. dns {
  120. reverse => [ "[zyxel][src_fqdn]" ]
  121. hit_cache_ttl => 480
  122. hit_cache_size => 500
  123. action => "replace"
  124. }
  125. }
  126. } # endif external src #
  127.  
  128. if ([zyxel][dst] =~ /.+/) and !([[zyxel][dst] =~ /^(192.168|0.0|10.0|172.16)/) {
  129. geoip {
  130. source => "[zyxel][dst]"
  131. target => "[zyxel][dst_geoip]"
  132. }
  133. mutate {
  134. add_field => ["[zyxel][dst_fqdn]" , "%{[zyxel][dst]}"]
  135. }
  136. if ([[zyxel][dst_fqdn] =~ /.+/) {
  137. # assert fqdn
  138. dns {
  139. reverse => [ "[zyxel][dst_fqdn]" ]
  140. hit_cache_ttl => 480
  141. hit_cache_size => 500
  142. action => "replace"
  143. }
  144. }
  145. } # endif external dst #
  146.  
  147. } # endif type:zywall #
  148. else {
  149. grok { match => { "message" => "%{NAGIOSLOGLINE}" } }
  150. }
  151. }
  152.  
  153. output {
  154. elasticsearch {
  155. hosts => [ "172.16.0.1:9200", "172.16.0.2:9200" ]
  156. user => elastic
  157. password => changeme
  158. }
  159. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!