-
Notifications
You must be signed in to change notification settings - Fork 0
/
logstash-j.conf
90 lines (86 loc) · 3.53 KB
/
logstash-j.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
input {
file {
path => "/home/laconi/juniper/*/*"
exclude => "*.gz"
}
stdin{}
}
filter {
if [message] =~ ".*xntpd.*" {
grok {
patterns_dir => "../install/logstash-pattern"
match => [ "message", "%{XNTPD}" ]
}
mutate { add_tag => ["XNTPD"]}
}
else if [message] =~ "vccp" {
grok {
match => {
"message" => [ "message", "%{CISCOTIMESTAMP:timestamp}\s+%{URIHOST:hostname} %{DATA:junipermodule}\[\d+\]: %{DATA:Membre}\, interface %{DATA:Interface} came %{WORD:interface_etat}"]
}
}
mutate { add_tag => ["Juniper"]}
}
else if [message] =~"KERN_ARP_DUPLICATE_ADDR" {
grok {
match => {
"message" => [ "message", "%{CISCOTIMESTAMP:timestamp}\s+%{IPORHOST}\s+\/kernel:\s+KERN_ARP_DUPLICATE_ADDR:%{GREEDYDATA:msg}" ]
}
}
mutate { add_tag => ["Juniper"]}
}
else if [message] =~"kernel" {
grok {
match => {
"message" => [ "message", "%{CISCOTIMESTAMP:timestamp} %{DATA:hostname} \/kernel\: %{DATA:juniperbundle}\: bundle %{DATA:Interface} state changed to %{WORD:interface_etat}" ]
}
}
mutate { add_tag => ["Juniper"]}
}
else if [message] =~ "SNMP_TRAP_LINK_DOWN" {
grok {
match => {
"message" => [ "message", "%{CISCOTIMESTAMP:timestamp}\s+%{DATA:hostname} %{DATA:mib2d}\: %{DATA:snmp-trap}: ifIndex %{DATA:ifIndex}, ifAdminStatus %{DATA:ifAdminStatus}\([0-9]*\), ifOperStatus %{DATA:ifOperStatus}\([0-9]*\), ifName %{GREEDYDATA:port}" ]
}
}
mutate { add_tag => ["mib2d"]}
}
else if [message] =~ "dst-xlated" {
grok {
match => {
"message" => ["message","%{CISCOTIMESTAMP:timestamp}\s%{IPORHOST} %{IPORHOST}:\sNetScreen device_id=%{WORD:device_id}\s+\[Root\]%{DATA:SystemType}-%{INT:SystemNotificationId}\(traffic\): start_time=%{QS} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:protocol} src zone=%{WORD} dst zone=%{WORD} action=%{WORD:action} sent=%{INT} rcvd=%{INT} src=%{IP:src_ip} dst=%{IP:dst_ip} src_port=%{DATA:src_port} dst_port=%{DATA:dst_port} src-xlated ip=%{IP:src_xlated_ip} port=%{DATA:src_xlated_port} dst-xlated ip=%{IP:dst_xlated_ip} port=%{DATA:dst_xlated_port} session_id=%{INT:session_id} reason=%{WORD:reason}" ]
}
}
mutate { add_tag => ["NetScreen"]}
}
else if [message] =~ ".*system-notification-00257.*Denied$" {
grok {
match => {
"message" => ["message","%{CISCOTIMESTAMP:timestamp}\s%{IPORHOST} %{IPORHOST}:\sNetScreen device_id=%{WORD:device_id}\s+\[Root\]%{DATA:SystemType}-%{INT:SystemNotificationId}\(traffic\): start_time=%{QS} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:protocol} src zone=%{WORD} dst zone=%{WORD} action=%{WORD:action} sent=%{INT} rcvd=%{INT} src=%{IP:src_ip} dst=%{IP:dst_ip} src_port=%{DATA:src_port} dst_port=%{DATA:dst_port} session_id=%{INT:session_id} reason=%{WORD:reason}" ]
}
}
mutate { add_tag => ["NetScreen"]}
}
else if [message] =~ "NetScreen" {
grok {
match => {
"message" => ["message","%{CISCOTIMESTAMP:timestamp}\s%{IPORHOST}\s%{IPORHOST}:\sNetScreen device_id=%{WORD:device_id}\s+\[Root\]%{DATA:SystemType}-%{WORD:SystemNotificationId}:\s%{GREEDYDATA:MsgNotification}" ]
}
}
mutate { add_tag => ["NetScreen"]}
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
locale => en
remove_field => "timestamp"
}
}
output {
stdout {
codec => rubydebug
}
#elasticsearch {
# protocol => "http"
# host => "localhost"
# }
}