Hi, We just installed an ELK server and configured the logstash configuration to match the data that we send to it and until last month it seems to be working fine but since then we see very strange behavior in the Kibana, the event over time histogram shows the event rate at the normal level for about a half an hour, then drops to about 20% of the normal rate and then it continues to drop slowly for about two hours and then stops and after a minute or two it returns to normal for the next half an hour or so and the same behavior repeats. Needless to say that both the /var/log/logstash and /var/log/elasticsearch both show nothing since the service started and by using tcpdump we can verify that events keep coming in at the same rate all time. I attached our logstash configuration, the /var/logstash/logstash.log, the /var/log/elasticsearch/clustername.log and a screenshot of our Kibana with no filter applied so that you can see the weird behavior that we see.
Is there someone/somewhere that we can turn to to get some help on the subject? Thanks a lot, Yuval. -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/c2e5a524-1ba6-4dc9-9fc3-d206d8f82717%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
#This file was created by Yuval Khalifa - Mivtach Simon to handle inputs to the
ElasticSearch/Kibana analysis at 2014-07-13T17:20
#
#
input {
tcp {
port => 5555
type => "syslog_onion"
}
}
input {
tcp {
port => 5551
type => "syslog_f5"
codec => plain {
charset => "CP1252"
}
}
}
input {
tcp {
port => 5552
type => "syslog_vault"
}
}
input {
tcp {
port => 5553
type => "syslog_fortigate"
codec => plain {
charset => "CP1252"
}
}
}
input {
tcp {
port => 5554
type => "syslog_eventlogs"
}
}
input {
tcp {
port => 5556
type => "syslog_mailalerts"
}
}
input {
tcp {
port => 5557
type => "syslog_test"
}
}
input {
tcp {
port => 5558
type => "syslog_elkconnector"
}
}
input {
tcp {
port => 1514
type => "syslog_vmware_esxi"
}
}
input {
file {
type => "snmptrap"
path => [ "/srv/snmptraps/snmptrapd.log" ]
codec => plain {
charset => "CP1252"
}
}
}
input {
file {
type => "f5_certs"
path => [ "/srv/f5/certs_*" ]
}
}
#input {
# file {
# type => "iis"
# path => ["/srv/iis/**/*.log"]
# codec => plain {
# charset => "ISO-8859-1"
# }
# }
#}
filter {
if ([message] =~ /^\s*$/) or
([message] == "\"") or
([message] =~ /^#/) or
([message] =~ /.* - - #.*/) or
([message] == "default send string") or
([message] =~ /^NET-SNMP version.*/) or
([message] =~ /^AgentX master disconnected.*/) or
([message] =~ /^Stopping snmptrapd.*/) or
([message] =~ /^.*NET-SNMP version.*Stopped./) {
drop{}
}
}
filter {
if ([type] == "iis") {
grok {
add_field => { "sotool" => "iis" }
match => [
"message", "%{DATESTAMP:log_timestamp} %{WORD:s_sitename}
%{NOTSPACE:s_computername} %{IP:dstip} %{WORD:cs_method} %{URIPATH:cs_uri_stem}
%{NOTSPACE:cs_uri_query} %{NUMBER:dstport} %{NOTSPACE:cs_username}
%{IPORHOST:srcip} %{NOTSPACE:cs_version} %{NOTSPACE:httpUserAgent}
%{NOTSPACE:cs_cookie} %{NOTSPACE:cs_referer} %{NOTSPACE:cs_host}
%{NOTSPACE:sc_status} %{NOTSPACE:sc_substatus} %{NOTSPACE:sc_win32status}
%{INT:sc_bytes} %{INT:cs_bytes} %{INT:timeTaken}",
"message", "%{DATESTAMP:log_timestamp} %{WORD:s_sitename}
%{NOTSPACE:s_computername} %{IP:dstip} %{WORD:cs_method} %{URIPATH:cs_uri_stem}
%{NOTSPACE:cs_uri_query} %{NUMBER:dstport} %{NOTSPACE:cs_username}
%{IPORHOST:srcip} %{NOTSPACE:cs_version} %{NOTSPACE:httpUserAgent}
%{NOTSPACE:cs_cookie} %{NOTSPACE:cs_referer} %{NOTSPACE:cs_host}
%{NOTSPACE:sc_status} %{NOTSPACE:sc_substatus} %{NOTSPACE:sc_win32status}
%{INT:sc_bytes} %{INT:timeTaken}"
]
}
}
}
#filter {
# if ([type] == "syslog_vmware_esxi") {
# grok {
# match => [
# "message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{NOTSPACE:host}
%{NOTSPACE:service}:(?<logline>.*)"
# ]
# }
# }
#}
filter {
if([type] == "syslog_elkconnector") {
mutate {
gsub => [ "message", "\n", "" ]
}
grok {
match => [ "message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{NOTSPACE:sensor}
%{NOTSPACE:reportingProcessName} %{INT:reportingProcessID}
%{INT:syslogMessageId} (?<csvLine>.*)" ]
}
}
if ([syslogMessageId] == "2000") {
csv {
columns => [ "fullpath", "logline" ]
source => "csvLine"
}
mutate {
gsub => [ "logline", "\^p", "\
" ]
gsub => [ "logline", "\^r", "\
" ]
gsub => [ "logline", "\^n", "\
" ]
gsub => [ "logline", "\\$","" ]
}
}
if ([syslogMessageId] == "2001") {
csv {
columns => [ "logName" ,"source","category"
,"categoryNumber","timeGenerated","timeWritten","userName","eventId",
"entryType", "eventMessage" ]
source => "csvLine"
}
mutate {
gsub => [ "eventMessage", "\^p", "\
" ]
gsub => [ "eventMessage", "\^r", "\
" ]
gsub => [ "eventMessage", "\^n", "\
" ]
gsub => [ "eventMessage", "\\$","" ]
}
}
}
filter {
if ([type] == "syslog_mailalerts") {
mutate {
gsub => [ "message", "\n", "" ]
}
grok {
match => [ "message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{NOTSPACE:sensor}
%{NOTSPACE:reportingProcessName} %{INT:reportingProcessID}
%{INT:syslogMessageId} (?<csvLine>.*)" ]
}
csv {
columns => [ "messageId", "mailHandler", "from", "to", "subject", "body",
"link" ]
source => "csvLine"
}
if ([from] == "[email protected]" ) {
grok {
match => [ "body", "Target: %{NOTSPACE:alertTarget} \^nPrevious
Status\: %{NOTSPACE:previousStatus} \^nNew Status: %{NOTSPACE:newStatus} \^n
\^nAlarm Definition: \^n\(\[(?<alarmDefinition>.*)\]\) \^n \^nCurrent values
for metric/state: \^n Metric (?<metricName>.*) = %{INT:metricValue}" ]
}
mutate {
convert => [ "metricValue", "integer" ]
}
}
mutate {
gsub => [ "body", "\^p", "\
" ]
gsub => [ "body", "\^r", "\
" ]
gsub => [ "body", "\^n", "\
" ]
gsub => [ "body", "\\$","" ]
}
}
}
filter {
if ([type] == "syslog_eventlogs") {
grok {
add_field => { "sotool" => "windows_eventlogs" }
match => [ "message", "%{DATESTAMP:log_timestamp} %{HOST:eventHostName}
%{NOTSPACE:eventType} %{INT:eventId} (?<eventMessage>.*)" ]
}
}
}
filter {
if ([type] == "syslog_fortigate") {
mutate {
add_field => { "sotool" => "fortigate" }
}
grok {
match => [ "message", "(?<prefixNo>\<[0-9].*\>)(?<csvLine>.*)" ]
}
kv {
source => "csvLine"
field_split => ","
value_split => "="
}
}
}
filter {
if ([type] == "syslog_onion") {
grok {
#Sample base line:
match => [
"message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{IPORHOST:sensor} %{WORD:sotool}",
"message",
"(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}_%{TIMESTAMP_ISO8601:@timestamp}_(?<sensor>[A-Za-z0-9\-]{1,1000})_(?<sotool>[A-Za-z]{1,1000})",
"message", "%{SYSLOGTIMESTAMP:@timestamp} %{WORD:sotool}"
]
}
if [sotool] == "sguil_alert"{
grok {
#Sample line: <13>1 2014-07-13T11:27:57+00:00 mvs-onion
sguil_alert - - [meta sequenceId="21675"] 11:27:56 pid(21945) Alert Received:
0 3 misc-activity mvs-onion-eth1 {2014-07-13 11:04:09} 9 116908442 {URL
images1.ynet.co.il} 10.253.140.54 82.166.201.187 6 3869 80 10001 420042 1
116908442 116908442
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) \[meta sequenceId=\"(?<metaSequenceId>[^|]{1,1000})\"\]
%{TIME:alertTime} pid\(%{INT:pid}\) Alert Received: %{INT:eventStatus}
%{INT:eventPriority} (?<eventClass>[^| ]{1,1000}) (?<sensorIface>[^| ]{1,1000})
\{(?<eventTimeStamp>[^\{\}]{1,1000})\} %{INT:eventSid} %{INT:eventCid}
\{(?<eventSignature>[^\{\}]{1,1000})\} (?<srcip>[^ ]{1,1000}) (?<dstip>[^
]{1,1000}) (?<proto>[^ ]{1,1000}) (?<srcport>[^ ]{1,1000}) (?<dstport>[^
]{1,1000}) (?<signatureGen>[^ ]{1,1000}) (?<signatureId>[^ ]{1,1000})
(?<signatureRev>[^ ]{1,1000}) (?<unifiedEventId>[^ ]{1,1000})
(?<unifiedEventRev>[^ ]{1,1000})" ]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?time=%{@timestamp}&sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}";
}
}
}
if [sotool] == "bro_conn"{
grok {
#Sample line: <13>1 2014-06-30T08:02:34+00:00 127.0.0.1 bro_conn
- - -
1404115021.768382|CKVpZysOMlmd9FTJ5|10.253.33.18|63589|10.253.33.18|32769|tcp|-|0.001959|254|18|SF|T|1|HsADdafF|11|984|7|328|(empty)|-|-|mvs-onion-eth1
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<proto>[^|]{1,1000})\|(?<service>[^|]{1,1000})\|(?<duration>[^|]{1,1000})\|(?<orig_bytes>[^|]{1,1000})\|(?<resp_bytes>[^|]{1,1000})\|(?<conn_state>[^|]{1,1000})\|(?<local_orig>[^|]{1,1000})\|(?<missed_bytes>[^|]{1,1000})\|(?<history>[^|]{1,1000})\|(?<orig_pkts>[^|]{1,1000})\|(?<orig_ip_bytes>[^|]{1,1000})\|(?<resp_pkts>[^|]{1,1000})\|(?<resp_ip_bytes>[^|]{1,1000})\|(?<tunnel_parents>[^|]{1,1000})\|(?<unknownField1>[^|]{1,1000})\|(?<unknownField2>[^|]{1,1000})\|(?<peer>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_dns"{
grok {
#Sample line: <13>1 2014-06-30T06:39:15+00:00 127.0.0.1 bro_dns -
- -
1404110310.475946|Cgy4hQKGRgasKpyPb|10.253.41.150|59694|224.0.0.252|5355|udp|10833|wpad|1|C_INTERNET|1|A|-|-|F|F|F|F|0|-|-|F
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<proto>[^|]{1,1000})\|(?<trans_id>[^|]{1,1000})\|(?<query>[^|]{1,1000})\|(?<qclass>[^|]{1,1000})\|(?<qclass_name>[^|]{1,1000})\|(?<qtype>[^|]{1,1000})\|(?<qtype_name>[^|]{1,1000})\|(?<rcode>[^|]{1,1000})\|(?<rcode_name>[^|]{1,1000})\|(?<isAuthoritativeAnswer>[^|]{1,1000})\|(?<isTruncated>[^|]{1,1000})\|(?<isRecursiveDesired>[^|]{1,1000})\|(?<isRecursiveAvailable>[^|]{1,1000})\|(?<reserved1>[^|]{1,1000})\|(?<answers>[^|]{0,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_http"{
grok {
#Sample line: <13>1 2014-06-30T14:19:34+00:00 127.0.0.1 bro_http -
- -
1404137972.655828|Cuv0Su3JX7CZYM4Jqh|193.16.147.2|58706|194.90.196.79|80|3|GET|r4---sn-oxu8pnpvo-ua8l.googlevideo.com|/videoplayback?c=web&clen=10171925&cpn=vNFFXwAXlvOwUBwp&cver=as3&dur=185.625&expire=1404162000&fexp=902408,909708,924222,930008,930813,934024,934030,935640,943411,946008&gir=yes&id=o-AHYm782dikI5yAWWgE5IQodWYompbemTEFnuwD4rlGIe&ip=193.16.147.2&ipbits=0&itag=134&keepalive=yes&key=yt5&lmt=1374174125958587&ms=au&mt=1404137503&mv=m&mws=yes&range=1785856-2678783&ratebypass=yes&signature=066B137557576A8BC482974782B963F84D666FB8.84EB08D6721734D23CB5395B9BE8913C4342949F&source=youtube&sparams=clen,dur,gir,id,ip,ipbits,itag,lmt,source,upn,expire&sver=3&upn=tuTf0n9eVnM|http://www.youtube.com/v/FrTBKCx3GmM?rel=0&loop=1&playlist=FrTBKCx3GmM&controls=0&showinfo=0&showsearch=0&wmode=transparent&version=3&enablejsapi=1&playerapiid=youtube-FrTBKCx3GmM_video_yt_embed|Mozilla/5.0
(Windows NT 5.1; rv:28.0) Gecko/20100101
Firefox/28.0|0|892928|200|OK|-|-|-|(empty)|-|-|-|-|-|FMFjKT23v1KLVlH6o6|application/octet-stream
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<unknownField1>[^|]{1,1000})\|(?<method>[^|]{1,1000})\|(?<hostname>[^|]{1,1000})\|(?<uri>[^|]{1,5000})\|(?<referrer>[^|]{1,5000})\|(?<useragent>[^|]{0,1000})\|(?<request_body_len>[^|]{0,1000})\|(?<response_body_len>[^|]{0,1000})\|(?<status_code>[^|]{0,1000})\|(?<status_msg>[^|]{0,1000})\|(?<info_code>[^|]{0,1000})\|(?<info_msg>[^|]{0,1000})\|(?<filename>[^|]{0,1000})\|(?<tags>[^|]{0,1000})\|(?<username>[^|]{0,1000})\|(?<password>[^|]{0,1000})\|(?<capture_password>[^|]{0,1000})\|(?<proxied>[^|]{0,1000})\|(?<range_request>[^|]{0,1000})\|(?<orig_fuids>[^|]{0,1000})\|(?<orig_mime_types>[^|]{0,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_weird"{
grok {
#Sample line: <13>1 2014-06-30T19:18:34+00:00 127.0.0.1 bro_weird
- - -
1404155912.877890|C8EFQvCtOgBtLipri|10.253.19.47|30576|10.253.0.150|7500|possible_split_routing|-|F|mvs-onion-eth1-1
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<weirdType>[^|]{1,1000})\|(?<additionalInfo>[^|]{1,1000})\|(?<noticeCreated>[^|]{1,1000})\|(?<peer>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_files"{
grok {
#Sample line: <13>1 2014-06-30T19:18:35+00:00 127.0.0.1 bro_files
- - -
1404155914.745514|FzqenNpOD6C471pq3|82.166.201.187|193.16.147.2|CWegI347LkISvne9Zf|HTTP|0|MD5,SHA1|text/plain|-|0.000000|F|F|220|220|0|0|F|-|c1b50ae3ec8007adf6a02b6f748a1aac|268fe9519f4505f47c640fda524cfd64dc57f111|-|-<13>1
2014-06-30T19:18:35+00:00 127.0.0.1 bro_files - - -
1404155914.745514|FzqenNpOD6C471pq3|82.166.201.187|193.16.147.2|CWegI347LkISvne9Zf|HTTP|0|MD5,SHA1|text/plain|-|0.000000|F|F|220|220|0|0|F|-|c1b50ae3ec8007adf6a02b6f748a1aac|268fe9519f4505f47c640fda524cfd64dc57f111|-|-
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<fuid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<conn_uids>[^|]{1,1000})\|(?<proto>[^|]{1,1000})\|(?<depth>[^|]{1,1000})\|(?<analyzers>[^|]{1,1000})\|(?<mime_type>[^|]{1,1000})\|(?<filename>[^|]{1,1000})\|(?<duration>[^|]{1,1000})\|(?<local_orig>[^|]{1,1000})\|(?<isorig>[^|]{1,1000})\|(?<seen_bytes>[^|]{1,1000})\|(?<total_bytes>[^|]{1,1000})\|(?<missing_bytes>[^|]{1,1000})\|(?<overflow_bytes>[^|]{1,1000})\|(?<timeout>[^|]{1,1000})\|(?<parent_fuid>[^|]{1,1000})\|(?<md5>[^|]{1,1000})\|(?<sha1>[^|]{1,1000})\|(?<sha256>[^|]{1,1000})\|(?<extracted>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&time=%{ts}"; }
}
}
if [sotool] == "bro_dhcp"{
grok {
#Sample line: <13>1 2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp -
- -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<mac>[^|]{1,1000})\|(?<assigned_ip>[^|]{1,1000})\|(?<lease_time>[^|]{1,1000})\|(?<trans_id>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_notice"{
grok {
#Sample line: <13>1 2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp -
- -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200<13>1
2014-06-30T19:18:34+00:00 127.0.0.1 bro_dhcp - - -
1404155912.351977|CqcuUeV5Rbo2B9Z9h|10.253.11.166|68|10.253.0.17|67|f0:92:1c:ee:6e:42|10.253.11.166|120.000000|2105238200
match => [ "message", "(?<Field6>[^|]{1,1000})
(?<Field7>[^|]{1,1000}) (?<Field8>[^|]{1,1000})
(?<ts>[^|]{1,1000})\|(?<conn_uid>[^|]{1,1000})\|(?<srcip>[^|]{1,1000})\|(?<srcport>[^|]{1,1000})\|(?<dstip>[^|]{1,1000})\|(?<dstport>[^|]{1,1000})\|(?<unknownField4>[^|]{1,1000})\|(?<unknownField5>[^|]{1,1000})\|(?<unknownField6>[^|]{1,1000})\|(?<unknownField7>[^|]{1,1000})\|(?<notice_type>[^|]{1,1000})\|(?<notice_details>[^|]{1,1000})"
]
add_field => { "signatureOrNoticeType" => "%{notice_type}" }
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_ssl"{
grok {
#Sample line: <13>1 2014-07-14T04:07:28+00:00 127.0.0.1 bro_ssl - -
-
1405310847.046910|CSawqH3ECFwLvDmKka|193.16.147.2|20606|23.212.210.217|443|TLSv11|TLS_RSA_WITH_AES_256_CBC_SHA|-|-|CN=itunes.apple.com,OU=Internet
Services Operations for Akamai,O=Apple Inc.,street=1 Infinite
Loop,L=Cupertino,ST=California,postalCode=95014,C=US,serialNumber=C0806592,businessCategory=Private
Organization,1.3.6.1.4.1.311.60.2.1.2=#130A43616C69666F726E69|61,1.3.6.1.4.1.311.60.2.1.3=#13025553CN=VeriSign
Class 3 Extended Validation SSL SGC CA,OU=Terms of use at
https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\,
Inc.,C=US|1398038400.000000|1461196799.000000|-|-|-|d2ca3d7bc3aafeea9919627fb7ea32a9|ok
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^| ]{1,1000})\|(?<sslVersion>[^|
]{1,1000})\|(?<cipherString>[^| ]{1,1000})\|(?<serverName>[^|
]{1,1000})\|(?<sessionId>[^|
]{1,1000})\|(?<subject>[^|]{1,1000})\|(?<issuerSubject>[^|]{1,1000})\|(?<notValidBefore>[^|]{1,1000})\|(?<notValidAfter>[^|]{1,1000})\|(?<lastAlert>[^|]{1,1000})\|(?<clientSubject>[^|]{1,1000})\|(?<clientIssuerSubject>[^|]{1,1000})\|(?<certHash>[^|]{1,1000})\|(?<validationStatus>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_software"{
grok {
#Sample line: <13>1 2014-07-14T04:57:52+00:00 127.0.0.1
bro_software - - -
1405313871.823083|10.253.31.8|-|HTTP::BROWSER|MSIE|6|0|-|-|-|Mozilla/4.0
(compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.1022)
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<hostAddr>[^|
]{1,1000})\|(?<hostPort>[^| ]{1,1000})\|(?<softwareType>[^|
]{1,1000})\|(?<softwareName>[^|]{1,1000})\|(?<versionMajor>[^|
]{1,1000})\|(?<versionMinor>[^| ]{1,1000})\|(?<versionMinor2>[^|
]{1,1000})\|(?<versionMinor3>[^|
]{1,1000})\|(?<versionAddl>[^|]{1,1000})\|(?<versionUnparsed>[^|]{1,1000})" ]
}
}
if [sotool] == "bro_smtp"{
grok {
#Sample line: <13>1 2014-07-14T05:19:26+00:00 127.0.0.1 bro_smtp -
- -
1405315164.598563|CA7ZdF1QjOfNlZsvo5|10.253.0.66|30260|192.168.2.3|25|1|mvs-ms.mvs.co.il|<[email protected]>|<[email protected]>|Mon,
14 Jul 2014 05:19:20 +0000|=?windows-1255?B?4uzp+iDs5ek=?=
<[email protected]>|"'[email protected]'"
<[email protected]>,=?windows-1255?B?7uzr5CDp+fjg7Ok=?=
<[email protected]>|-|<[email protected]>|-|=?windows-1255?B?ICDn7OHpIPHg7ucg+i7mLiAzNjQ0MjUzMSAo5+wi+ik=?=|-|from
mvs-ms.mvs.co.il ([fe80::907c:da67:b9a9:1e6e]) by mvs-ms.mvs.co.il
([fe80::907c:da67:b9a9:1e6e%15]) with mapi id 14.02.0342.003; Mon, 14 Jul 2014
08:19:20 +0300|-|250 ok: Message 7784306
accepted|192.168.2.3,10.253.0.66,fe80::907c:da67:b9a9:1e6e|-|FPdvYg3iAE734I3FZb,FrhwAQ3pfLEhik3VZ3|F
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^| ]{1,1000})\|(?<transDepth>[^|
]{1,1000})\|(?<heloString>[^|]{1,1000})\|(?<mailFrom>[^|]{1,1000})\|(?<rcptTo>[^|]{1,5000})\|(?<date>[^|]{1,1000})\|(?<from>[^|]{1,1000})\|(?<to>[^|]{1,15000})\|(?<replyTo>[^|]{1,1000})\|(?<msgId>[^|]{1,1000})\|(?<inReplyTo>[^|]{1,1000})\|(?<subject>[^|]{1,1000})\|(?<xOriginatingIp>[^|]{1,1000})\|(?<firstReceived>[^|]{1,1000})\|(?<secondReceived>[^|]{1,1000})\|(?<lastReply>[^|]{1,1000})\|(?<path>[^|]{1,1000})\|(?<userAgent>[^|]{1,1000})\|(?<fuids>[^|]{1,1000})\|(?<isWebMail>[^|]{1,1000})"
]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_syslog"{
grok {
#Sample line: <13>1 2014-07-14T05:44:16+00:00 127.0.0.1 bro_syslog
- - -
1405316654.732439|CWArxl3YMYVO7OCjN4|10.253.100.15|50218|10.253.5.15|514|udp|LOCAL7|INFO|1499994:
1498129: %ISDN-6-CONNECT: Interface Serial0/3/0:0 is now connected to
0547879916 N/A
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^| ]{1,1000})\|(?<proto>[^| ]{1,1000})\|(?<facility>[^|
]{1,1000})\|(?<severity>[^| ]{1,1000})\|(?<message>[^|]{1,1000})" ]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_tunnels"{
grok {
#Sample line: <13>1 2014-07-14T06:18:45+00:00 127.0.0.1 bro_tunnels
- - -
1405318724.803894|-|10.253.13.23|0|10.253.0.17|49164|Tunnel::SOCKS|Tunnel::DISCOVER
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^| ]{1,1000})\|(?<tunnelType>[^|
]{1,1000})\|(?<action>[^| ]{1,1000})" ]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_ftp"{
grok {
#Sample line: <13>1 2014-07-14T06:25:24+00:00 127.0.0.1 bro_ftp - -
-
1405319120.878418|CZiDkg2UFROvWIxEvl|10.253.0.6|42933|68.178.254.1|21|tekbiz|<hidden>|STOR|ftp://68.178.254.1/VNC/vnc_stat.png|-|-|226|0.233
seconds (measured here), 5.81 Kbytes per second|-|-|-|-|FC7XUs2aEcJHOhRGC9
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^|
]{1,1000})\|(?<user>[^|]{1,1000})\|(?<password>[^|]{1,1000})\|(?<command>[^|
]{1,1000})\|(?<arg>[^|]{1,1000})\|(?<mimeType>[^|]{1,1000})\|(?<fileSize>[^|]{1,1000})\|(?<replyCode>[^|]{1,1000})\|(?<replyMsg>[^|]{1,1000})\|(?<dataChannelPassive>[^|
]{1,1000})\|(?<dataChannelOrigH>[^| ]{1,1000})\|(?<dataChannelRespH>[^|
]{1,1000})\|(?<dataChannelRespP>[^| ]{1,1000})\|(?<fuid>[^| ]{1,1000})" ]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "bro_ssh"{
grok {
#Sample line:
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) (?<Field8>[^| ]{1,1000}) (?<ts>[^| ]{1,1000})\|(?<uid>[^|
]{1,1000})\|(?<srcip>[^| ]{1,1000})\|(?<srcport>[^| ]{1,1000})\|(?<dstip>[^|
]{1,1000})\|(?<dstport>[^| ]{1,1000})\|(?<status>[^|
]{1,1000})\|(?<direction>[^| ]{1,1000})\|(?<client>[^|
]{1,1000})\|(?<server>[^| ]{1,1000})\|(?<remoteLocationCountryCode>[^|
]{1,1000})\|(?<remoteLocationRegion>[^| ]{1,1000})\|(?<remoteLocationCity>[^|
]{1,1000})\|(?<remoteLocationLatitude>[^|
]{1,1000})\|(?<remoteLocationLongtitude>[^| ]{1,1000})" ]
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}&time=%{ts}";
}
}
}
if [sotool] == "snort"{
grok {
#Since the line can contain the source and destination ports but
they aren't always there we must try two variations
break_on_match => false
#Sample line: <13>1 2014-07-14T07:19:24+00:00 127.0.0.1 bro_ssh - -
-
1405322358.641889|CDPmhSjrB1r0MuN0f|10.253.2.54|37304|193.34.56.41|22|failure|OUTBOUND|SSH-2.0-OpenSSH_5.3|SSH-2.0-OpenSSH_5.3|IL|-|-|-|-
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) \[meta sequenceId=\"(?<metaSequenceId>[^|]{1,1000})\"\]
\[(?<signatureId>[^\[\]]{1,1000})\] (?<signatureName>[^\[\]]{1,1000})
\[Classification: (?<classification>[^\[\]]{1,1000})\] \[Priority:
(?<priority>[^\[\]]{1,1000})\]: \{(?<proto>[^\[\]]{1,1000})\}
(?<srcip>[^\[\]]{1,1000}):(?<srcport>[^\[\]]{1,1000}) ->
(?<dstip>[^\[\]]{1,1000}):(?<dstport>[^\[\]]{1,1000})" ]
#Sample line: <177>1 2014-08-27T04:38:23+00:00 127.0.0.1 snort - -
[meta sequenceId="197297"] [139:1:1] sensitive_data: sensitive data global
threshold exceeded [Classification: Sensitive Data was Transmitted Across the
Network] [Priority: 2]: {PROTO:254} 50.115.214.132 -> 192.168.221.3
match => [ "message", "(?<Field6>[^| ]{1,1000}) (?<Field7>[^|
]{1,1000}) \[meta sequenceId=\"(?<metaSequenceId>[^|]{1,1000})\"\]
\[(?<signatureId>[^\[\]]{1,1000})\] (?<signatureName>[^\[\]]{1,1000})
\[Classification: (?<classification>[^\[\]]{1,1000})\] \[Priority:
(?<priority>[^\[\]]{1,1000})\]: \{(?<proto>[^\[\]]{1,1000})\}
(?<srcip>[^\[\]]{1,1000}) -> (?<dstip>[^\[\]]{1,1000})" ]
add_field => { "signatureOrNoticeType" => "%{signatureName}" }
#add link to CapMe via CapMeLauncher like this:
http://mvs-sniffer/capmelauncher/?sip=192.168.220.2&dip=65.39.139.63&spt=28642&dpt=53&time=1406952581
add_field => { "RawPackets" =>
"http://mvs-sniffer/capmelauncher/?time=%{@timestamp}&sip=%{srcip}&dip=%{dstip}&spt=%{srcport}&dpt=%{dstport}";
}
add_field => { "Snorby" =>
"https://onion:444/results?title=%{signatureName}&match_all=true&search%5B0%5D%5Bcolumn%5D=signature_name&search%5B0%5D%5Benabled%5D=true&search%5B0%5D%5Boperator%5D=contains&search%5B0%5D%5Bvalue%5D=%{signatureName}";
}
}
}
#Replace spaces with proper encoding in Snorby URLs
mutate {
gsub => [ "Snorby", " ", "%20" ]
}
}
}
filter {
if ([type] == "syslog_f5") {
grok {
match => [
"message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{IPORHOST:sensor} %{WORD:sotool}
virtual=(?<vip>[^ ]{1,1000}) client_ip=(?<srcip>[^ ]{1,1000})
client_port=(?<srcport>[^ ]{1,1000}) host=(?<httpHostName>[^ ]{1,1000})
username=(?<httpUserName>[^ ]{1,1000}) request_uri=(?<httpRequestUri>.{1,1000})
request=(?<httpRequest>.{1,1000}) server_status=(?<httpServerStatusCode>[^
]{1,1000}) content_type=(?<httpContentType>.{1,1000})
content_length=(?<httpContentLength>[^ ]{1,1000}) resp_time=(?<responseTime>[^
]{1,1000}) user_agent=(?<httpUserAgent>.{1,1000}) referer=(?<httpReferer>[^
]{1,1000}) violation=(?<wafViolation>[^ ]{1,1000})
support_id=(?<wafSupportId>[^ ]{1,1000})
web_application=(?<wafWebApplication>[^ ]{1,1000}) severity=(?<wafSeverity>[^
]{1,1000}) attack_type=(?<wafAttackType>[^ ]{1,1000})
request_status=(?<wafRequestStatus>[^ ]{1,1000})
http_request_raw_base64=\[(?<wafRequestRawBase64>[^\]]{0,10000})\]",
"message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} %{IPORHOST:sensor} %{WORD:sotool}
virtual=(?<vip>[^ ]{1,1000}) client_ip=(?<srcip>[^ ]{1,1000})
client_port=(?<srcport>[^ ]{1,1000}) host=(?<httpHostName>[^ ]{1,1000})
username=(?<httpUserName>[^ ]{1,1000}) request_uri=(?<httpRequestUri>.{1,1000})
request=(?<httpRequest>.{1,1000}) server_status=(?<httpServerStatusCode>[^
]{1,1000}) content_type=(?<httpContentType>.{1,1000})
content_length=(?<httpContentLength>[^ ]{1,1000}) resp_time=(?<responseTime>[^
]{1,1000}) user_agent=(?<httpUserAgent>.{1,1000}) referer=(?<httpReferer>[^
]{1,1000}) violation=(?<wafViolation>[^ ]{1,1000})
support_id=(?<wafSupportId>[^ ]{1,1000})
web_application=(?<wafWebApplication>[^ ]{1,1000}) severity=(?<wafSeverity>[^
]{1,1000}) attack_type=(?<wafAttackType>[^ ]{1,1000})
request_status=(?<wafRequestStatus>[^ ]{1,1000})"
]
add_field => { "f5_details_link" =>
"https://%{host}/dms/policy/frn_illegal_requests.php?custom_opened=1&mode=&filter_name=&order_by=log_time&sorting_order=desc&filter=-3&filter_account_custom=-1&filter_request_type=1&filter_violation=0&filter_violation_staging=0&filter_attack_type=0&filter_ip_type=is&filter_ip=&filter_ip_reputation=0&filter_date_range=0&filter_response_code=&filter_method=0&filter_app_id=0&filter_unblocked=0&filter_blocked=0&filter_truncated=0&filter_support_id_in=exact&filter_support_id=%{wafSupportId}&combo_severity=0&filter_country=0&filter_username=&filter_session_id=&filter_string_in=uri&filter_string=&rNumFix0=122#nonExistingAnchor";
}
}
}
}
filter {
if ([type] == "f5_certs") {
grok {
match => [ "message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} (?<sensor>[A-Za-z0-9\-\.]{1,1000})
(?<sotool>[A-Za-z_0-9]{1,1000}) (?<certRawInfo>.*)" ]
}
kv {
source => "certRawInfo"
field_split => "|"
value_split => "="
trimkey => " "
}
# grok {
# match => [ "message", "(?<prefixNo>\<[0-9].*\>)%{INT:prefixInt}
%{TIMESTAMP_ISO8601:@timestamp} (?<sensor>[A-Za-z0-9\-\.]{1,1000})
(?<sotool>[A-Za-z_0-9]{1,1000})
certificate=(?<certificate>[^|].{0,1000})\|expiry=(?<certExpiryRaw>[^|].{0,1000})"
]
# }
date {
match => [ "certExpiryRaw", "MMM d HH:mm:ss YYYY z" ]
target => "certExpiryDate"
}
}
}
filter {
if ([type] == "syslog_vault") {
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:@timestamp} %{WORD:sotool}
\%CYBERARK:
MessageID=\"%{INT:vaultMessageId}\";Version=\"(?<vaultVersion>[^;]{1,1000})\";Message=\"(?<vaultMessage>[^;]{1,1000})\";Issuer=\"(?<userName>[^;]{1,1000})\";Station=\"(?<srcip>[^;]{1,1000})\";File=\"(?<vaultFile>[^;]{0,1000})\";Safe=\"(?<vaultSafe>[^;]{0,1000})\";Location=\"(?<vaultLocation>[^;]{0,1000})\";Category=\"(?<vaultMessageCategory>[^;]{0,1000})\";RequestId=\"(?<vaultRequestId>[^;]{0,1000})\";Reason=\"(?<vaultMessageReason>[^;]{0,1000})\";Severity=\"(?<vaultMessageSeverity>[^;]{1,1000})\";GatewayStation=\"(?<vaultGatewayStation>[^;]{0,1000})\";TicketID=\"(?<vaultMessageTicketId>[^;]{0,1000})\";PolicyID=\"(?<vaultPolicyId>[^;]{0,1000})\";UserName=\"(?<vaultUserName>[^;]{0,1000})\";LogonDomain=\"(?<vaultLogonDomain>[^;]{0,1000})\";Address=\"(?<vaultAddress>[^;]{0,1000})\";CPMStatus=\"(?<vaultCPMStatus>[^;]{0,1000})\";Port=\"(?<vaultPort>[^;]{0,1000})\";Database=\"(?<vaultDatabase>[^;]{0,1000})\";DeviceType=\"(?<vaultDeviceType>[^;]{0,1000})\";ExtraDetails=\"(?<vaultMessageExtraDetails>[^;]{0,1000})\""
]
}
}
}
filter {
if ([type] == "snmptrap") {
mutate {
gsub => [ "message", " ", "|" ]
gsub => [ "message", "::", "_" ]
gsub => [ "message", "INTEGER: ", "" ]
gsub => [ "message", "STRING: ", "" ]
gsub => [ "message", "IpAddress: ", "" ]
gsub => [ "message", "SNMPv2-MIB_sysName.0", "snmpSysName" ]
gsub => [ "message", "SNMPv2-MIB_snmpTrapOID.0", "snmpTrapType" ]
gsub => [ "message", "FORTINET-FORTIGATE-MIB_", "" ]
gsub => [ "message", "FORTINET-CORE-MIB_fnGenTrapMsg.0",
"fortigateTrapMsg" ]
gsub => [ "message", "FORTINET-CORE-MIB_fnSysSerial.0", "fortigateSerial"
]
gsub => [ "message", "DISMAN-EVENT-MIB_sysUpTimeInstance",
"sysUpTimeInstance" ]
gsub => [ "message", "DISMAN-EVENT-MIB_sysUpTimeInstance",
"sysUpTimeInstance" ]
gsub => [ "message", "MAZU-MIB_alertLevel.0", "alertLevel" ]
gsub => [ "message", "MAZU-MIB_eventRuleDescription.0",
"eventRuleDescription" ]
gsub => [ "message", "MAZU-MIB_eventRuleName.0", "eventRuleName" ]
gsub => [ "message", "MAZU-MIB_severity.0", "severity" ]
gsub => [ "message", "MAZU-MIB_description.0", "description" ]
gsub => [ "message", "MAZU-MIB_eventID.0", "eventID" ]
gsub => [ "message", "MAZU-MIB_eventURL.0", "eventURL" ]
gsub => [ "message", "MAZU-MIB_eventStart.0", "eventStart" ]
gsub => [ "message", "MAZU-MIB_eventSourceCount.0", "eventSourceCount" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.1",
"eventSourceCount_Index_1" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.2",
"eventSourceCount_Index_2" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.3",
"eventSourceCount_Index_3" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.4",
"eventSourceCount_Index_4" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.5",
"eventSourceCount_Index_5" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.6",
"eventSourceCount_Index_6" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.7",
"eventSourceCount_Index_7" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.8",
"eventSourceCount_Index_8" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.9",
"eventSourceCount_Index_9" ]
gsub => [ "message", "MAZU-MIB_eventSourceIndex.10",
"eventSourceCount_Index_10" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.1", "eventSourceName_1" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.2", "eventSourceName_2" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.3", "eventSourceName_3" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.4", "eventSourceName_4" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.5", "eventSourceName_5" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.6", "eventSourceName_6" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.7", "eventSourceName_7" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.8", "eventSourceName_8" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.9", "eventSourceName_9" ]
gsub => [ "message", "MAZU-MIB_eventSourceName.10", "eventSourceName_10" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.1",
"eventSourceIpaddr_1" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.2",
"eventSourceIpaddr_2" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.3",
"eventSourceIpaddr_3" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.4",
"eventSourceIpaddr_4" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.5",
"eventSourceIpaddr_5" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.6",
"eventSourceIpaddr_6" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.7",
"eventSourceIpaddr_7" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.8",
"eventSourceIpaddr_8" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.9",
"eventSourceIpaddr_9" ]
gsub => [ "message", "MAZU-MIB_eventSourceIpaddr.10",
"eventSourceIpaddr_10" ]
gsub => [ "message", "MAZU-MIB_eventDestCount.0", "eventDestCount" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.1", "eventDestIndex_1" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.2", "eventDestIndex_2" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.3", "eventDestIndex_3" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.4", "eventDestIndex_4" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.5", "eventDestIndex_5" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.6", "eventDestIndex_6" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.7", "eventDestIndex_7" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.8", "eventDestIndex_8" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.9", "eventDestIndex_9" ]
gsub => [ "message", "MAZU-MIB_eventDestIndex.10", "eventDestIndex_10" ]
gsub => [ "message", "MAZU-MIB_eventDestName.1", "eventDestName_1" ]
gsub => [ "message", "MAZU-MIB_eventDestName.2", "eventDestName_2" ]
gsub => [ "message", "MAZU-MIB_eventDestName.3", "eventDestName_3" ]
gsub => [ "message", "MAZU-MIB_eventDestName.4", "eventDestName_4" ]
gsub => [ "message", "MAZU-MIB_eventDestName.5", "eventDestName_5" ]
gsub => [ "message", "MAZU-MIB_eventDestName.6", "eventDestName_6" ]
gsub => [ "message", "MAZU-MIB_eventDestName.7", "eventDestName_7" ]
gsub => [ "message", "MAZU-MIB_eventDestName.8", "eventDestName_8" ]
gsub => [ "message", "MAZU-MIB_eventDestName.9", "eventDestName_9" ]
gsub => [ "message", "MAZU-MIB_eventDestName.10", "eventDestName_10" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.1", "eventDestIpaddr_1" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.2", "eventDestIpaddr_2" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.3", "eventDestIpaddr_3" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.4", "eventDestIpaddr_4" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.5", "eventDestIpaddr_5" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.6", "eventDestIpaddr_6" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.7", "eventDestIpaddr_7" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.8", "eventDestIpaddr_8" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.9", "eventDestIpaddr_9" ]
gsub => [ "message", "MAZU-MIB_eventDestIpaddr.10", "eventDestIpaddr_10" ]
gsub => [ "message", "MAZU-MIB_eventProtocolCount.0",
"eventProtocolCount" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.1",
"eventProtocolIndex_1" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.2",
"eventProtocolIndex_2" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.3",
"eventProtocolIndex_3" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.4",
"eventProtocolIndex_4" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.5",
"eventProtocolIndex_5" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.6",
"eventProtocolIndex_6" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.7",
"eventProtocolIndex_7" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.8",
"eventProtocolIndex_8" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.9",
"eventProtocolIndex_9" ]
gsub => [ "message", "MAZU-MIB_eventProtocolIndex.10",
"eventProtocolIndex_10" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.1",
"eventProtocolName_1" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.2",
"eventProtocolName_2" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.3",
"eventProtocolName_3" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.4",
"eventProtocolName_4" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.5",
"eventProtocolName_5" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.6",
"eventProtocolName_6" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.7",
"eventProtocolName_7" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.8",
"eventProtocolName_8" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.9",
"eventProtocolName_9" ]
gsub => [ "message", "MAZU-MIB_eventProtocolName.10",
"eventProtocolName_10" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.1", "eventProtocolId_1" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.2", "eventProtocolId_2" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.3", "eventProtocolId_3" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.4", "eventProtocolId_4" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.5", "eventProtocolId_5" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.6", "eventProtocolId_6" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.7", "eventProtocolId_7" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.8", "eventProtocolId_8" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.9", "eventProtocolId_9" ]
gsub => [ "message", "MAZU-MIB_eventProtocolId.10", "eventProtocolId_10" ]
gsub => [ "message", "MAZU-MIB_eventServiceCount.0", "eventServiceCount" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.1",
"eventServiceIndex_1" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.2",
"eventServiceIndex_2" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.3",
"eventServiceIndex_3" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.4",
"eventServiceIndex_4" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.5",
"eventServiceIndex_5" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.6",
"eventServiceIndex_6" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.7",
"eventServiceIndex_7" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.8",
"eventServiceIndex_8" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.9",
"eventServiceIndex_9" ]
gsub => [ "message", "MAZU-MIB_eventServiceIndex.10",
"eventServiceIndex_10" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.1", "eventServiceName_1" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.2", "eventServiceName_2" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.3", "eventServiceName_3" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.4", "eventServiceName_4" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.5", "eventServiceName_5" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.6", "eventServiceName_6" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.7", "eventServiceName_7" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.8", "eventServiceName_8" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.9", "eventServiceName_9" ]
gsub => [ "message", "MAZU-MIB_eventServiceName.10",
"eventServiceName_10" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.1",
"eventServiceProto_1" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.2",
"eventServiceProto_2" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.3",
"eventServiceProto_3" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.4",
"eventServiceProto_4" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.5",
"eventServiceProto_5" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.6",
"eventServiceProto_6" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.7",
"eventServiceProto_7" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.8",
"eventServiceProto_8" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.9",
"eventServiceProto_9" ]
gsub => [ "message", "MAZU-MIB_eventServiceProto.10",
"eventServiceProto_10" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.1", "eventServicePort_1" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.2", "eventServicePort_2" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.3", "eventServicePort_3" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.4", "eventServicePort_4" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.5", "eventServicePort_5" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.6", "eventServicePort_6" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.7", "eventServicePort_7" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.8", "eventServicePort_8" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.9", "eventServicePort_9" ]
gsub => [ "message", "MAZU-MIB_eventServicePort.10",
"eventServicePort_10" ]
gsub => [ "message", "MAZU-MIB_eventCurrentConns.0", "eventCurrentConns" ]
}
grok {
match => [
"message", "\|connectionInfo=(?<proto>[A-Za-z]{1,1000}):
\[%{IP:snmpTrapSrcip}\]:%{INT:snmpTrapSrcport}->\[%{IP:snmpTrapDstip}\]:%{INT:snmpTrapDstport}\|uptime=%{INT:uptime}\|enterprise=(?<snmpTrapEnterprise>[A-Za-z0-9_\-\.]{0,1000})\|trapType=%{INT:trapType}\|trapSubType=(?<trapSubType>[^\|]{0,1000})\|securityContext=(?<trapSecurityContextHead>[A-Z0-2]{0,1000}),
SNMP v(?<snmpTrapVersion>[0-9a-z]{0,1000}), community
(?<snmpCommunity>[A-Za-z0-9]{1,1000})\|description=(?<snmpTrapDescription>[A-Za-z0-9
]{0,1000})"
]
}
}
}
filter {
if ( [type] == "snmptrap" and [snmpTrapSrcip] == "10.253.0.251" or
[snmpTrapSrcip] == "10.253.0.156" ) {
mutate {
add_field => { "sotool" => "snmptrapd_fortigate" }
}
grok {
match => [ "message", "\|attribValuePairs=(?<attribValuePairs>.*)" ]
}
kv {
source => "attribValuePairs"
field_split => "|"
value_split => "="
trimkey => " "
}
kv {
source => "fortigateTrapMsg"
field_split => " "
value_split => "="
trim => "\\\""
trimkey => " "
}
}
}
filter {
if ( [type] == "snmptrap" and [snmpTrapSrcip] == "10.253.0.173" ) {
mutate {
add_field => { "sotool" => "snmptrapd_netProfiler" }
}
grok {
match => [ "message", "\|attribValuePairs=(?<attribValuePairs>.*)" ]
}
kv {
source => "attribValuePairs"
field_split => "|"
value_split => "="
trim => " "
trimkey => " "
}
grok {
match => [
"sysUpTimeInstance",
"Timeticks:\(%{INT:sysUptimeTicks}\)%{INT:sysUptimeDays}days,%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}",
"sysUpTimeInstance",
"Timeticks:\(%{INT:sysUptimeTicks}\)%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}",
"sysUpTimeInstance", "Timeticks:\(%{INT:sysUptimeTicks}\)"
]
}
mutate {
gsub => [ "eventURL", "\"", "" ]
gsub => [ "eventURL", ";", "" ]
}
}
else if ( [type] == "snmptrap" and [snmpTrapSrcip] == "192.168.2.10" or
[snmpTrapSrcip] == "192.168.2.9" ) {
mutate {
add_field => { "sotool" => "snmptrapd_f5" }
}
grok {
match => [
"message", "\|attribValuePairs=DISMAN-EVENT-MIB_sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\) %{INT:sysUptimeDays} days,
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}|SNMPv2-MIB_snmpTrapOID.0
= OID: F5-BIGIP-COMMON-MIB_%{WORD:f5TrapType}
F5-BIGIP-COMMON-MIB_bigipNotifyObjMsg = Pool (?<f5PoolName>.*) member
(?<f5PoolMemberName>.*) monitor status %{WORD:f5PoolMemberStatus}. \[
(?<f5PoolMemberDetailedStatus>[^\]]{1,1000}) \] \[ was down for
%{INT:f5PoolMemberDownForHours}hr:%{INT:f5PoolMemberDownForMinutes}min:%{INT:f5PoolMemberDownForSecs}sec
\] F5-BIGIP-COMMON-MIB_bigipNotifyObjNode =
(?<f5NodeName>[/a-zA-Z0-9\._]{1,1000}) F5-BIGIP-COMMON-MIB_bigipNotifyObjPort =
%{INT:f5NodePort}",
"message", "\|attribValuePairs=DISMAN-EVENT-MIB_sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\) %{INT:sysUptimeDays} days,
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}|SNMPv2-MIB_snmpTrapOID.0
= OID:
F5-BIGIP-COMMON-MIB_%{WORD:f5TrapType}|F5-BIGIP-COMMON-MIB_bigipNotifyObjMsg =
\[%{WORD:f5TrapMessageType}\] Request (?<wafRequestStatus>[A-Za-z ]{1,1000}),
violations: (?<wafViolation>.*). HTTP protocol compliance sub violations:
(?<wafProtocolViolation>.*). Evasion techniques sub violations:
(?<wafEvasionViolation>.*). Web services security sub violations:
(?<wafWebServicesViolation>.*). Virus name: (?<wafVirusName>.*). Support id:
%{INT:wafSupportId}, source ip: %{IP:srcip}, xff ip: %{IP:xffip}, source port:
%{INT:srcport}, destination ip: %{IP:dstip}, destination port: %{INT:dstport},
route_domain: %{INT:f5RouteDomain}, HTTP classifier: (?<f5HttpClassifier>.*),
scheme %{WORD:f5Scheme}, geographic location: <%{WORD:f5SrcGeoLocation}>,
request: <(?<httpRequest>.*)>, username: <(?<httpUserName>.*)>, session_id:
<(?<httpSession>.*)>",
"message", "\|attribValuePairs=DISMAN-EVENT-MIB_sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\)
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}|SNMPv2-MIB_snmpTrapOID.0
= OID:
F5-BIGIP-COMMON-MIB_%{WORD:f5TrapType}|F5-BIGIP-COMMON-MIB_bigipNotifyObjMsg =
SNMP_TRAP: Virtual (?<f5VipName>.*) has become %{WORD:f5VipStatus}",
"message", "\|attribValuePairs=DISMAN-EVENT-MIB_sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\) %{INT:sysUptimeDays} days,
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}|SNMPv2-MIB_snmpTrapOID.0
= OID:
F5-BIGIP-COMMON-MIB_%{WORD:f5TrapType}|F5-BIGIP-COMMON-MIB_bigipNotifyObjMsg =
(?<trapMessageText>.*)|SNMPv2-MIB_snmpTrapEnterprise.0 = OID:
F5-BIGIP-COMMON-MIB_bigipNotification",
"message", "\|attribValuePairs=DISMAN-EVENT-MIB_sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\)
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}|SNMPv2-MIB_snmpTrapOID.0
= OID:
F5-BIGIP-COMMON-MIB_(?<f5TrapType>[A-Za-z\.0-9]{0,1000})|F5-BIGIP-COMMON-MIB_bigipNotifyObjMsg
= Script execution finished. Script name:
(?<f5ScriptName>[/a-zA-Z0-9\._]{0,1000})\. Exit status:
%{INT:f5ScriptExitStatusCode}"
]
}
if ( [wafSupportId] =~ /.+/ ) {
mutate {
add_field => { "f5_details_link" =>
"https://%{snmpTrapSrcip}/dms/policy/frn_illegal_requests.php?custom_opened=1&mode=&filter_name=&order_by=log_time&sorting_order=desc&filter=-3&filter_account_custom=-1&filter_request_type=1&filter_violation=0&filter_violation_staging=0&filter_attack_type=0&filter_ip_type=is&filter_ip=&filter_ip_reputation=0&filter_date_range=0&filter_response_code=&filter_method=0&filter_app_id=0&filter_unblocked=0&filter_blocked=0&filter_truncated=0&filter_support_id_in=exact&filter_support_id=%{wafSupportId}&combo_severity=0&filter_country=0&filter_username=&filter_session_id=&filter_string_in=uri&filter_string=&rNumFix0=122#nonExistingAnchor";
}
}
}
}
}
filter {
if ( [type] == "snmptrap" ) {
if ( [snmpTrapSrcip] == "192.168.221.220" ) {
mutate {
add_field => { "sotool" => "snmptrapd_vault" }
gsub => [ "message", " ", "|" ]
}
grok {
match => [ "message", "\|attribValuePairs=sysUpTimeInstance =
Timeticks: \(%{INT:sysUptimeTicks}\) %{INT:sysUptimeDays} days,
%{INT:sysUptimeHours}:%{INT:sysUptimeMinutes}:%{INT:sysUptimeSeconds}.%{INT:sysUptimeMsecs}\|snmpTrapType
= OID: CYBER-ARK-MIB_(?<snmpTrapType>[^\|]{1,1000})" ]
}
if ( [snmpTrapType] == "osCpuUsageNotification" ) {
grok {
match => [ "message", "\|CYBER-ARK-MIB_osCpuUsage =
\"%{NUMBER:cyberArkCpuUsage}\"" ]
}
mutate {
convert => [ "cyberArkCpuUsage", "float" ]
}
}
else if ( [snmpTrapType] == "paVaultLogInfoNotification" ) {
grok {
match => [ "message", "\|CYBER-ARK-MIB_paVaultLogName =
\"(?<cyberArkVaultLogName>[^\"]{1,1000})\"\|CYBER-ARK-MIB_paVaultLogSource =
\"(?<cyberArkVaultLogSourceName>[^\"]{0,1000})\"\|CYBER-ARK-MIB_paVaultLogRecord
= \"(?<cyberArkVaultLogMessageDate>[0-9/]{0,10})
(?<cyberArkVaultLogMessageTime>[0-9:]{0,8})
(?<cyberArkVaultLogMessage>[^\"]{0,1000})" ]
}
}
else {
mutate {
add_field => { "tags" => "snmptrapd_vault_unknown_subtype" }
}
}
}
else {
mutate {
add_field => { "sotool" => "%{sotool}_%{snmpTrapSrcip}" }
}
}
}
}
#GeoIP Assignments - SOURCE IP
filter {
if [srcip] =~ /10\.253\.136\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.959167,32.788611] }
}
}
else if [srcip] =~ /10\.253\.146\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.870728,32.000733] }
}
}
else if [srcip] =~ /10\.253\.140\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.999214,32.812191] }
}
}
else if [srcip] =~ /10\.253\.128\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.848254,32.093627] }
}
}
else if [srcip] =~ /10\.253\.144\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [35.215627,31.781056] }
}
}
else if [srcip] =~ /10\.253\.1\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.966301,32.770949] }
}
}
else if [srcip] =~ /10\.253\.0\..*/ or [srcip] =~ /10\.253\.19\..*/ or
[srcip] =~ /10\.253\.11\..*/ or [srcip] =~ /10\.253\.12\..*/ or [srcip] =~
/10\.253\.13\..*/ or [srcip] =~ /10\.253\.21\..*/ or [srcip] =~
/10\.253\.22\..*/ or [srcip] =~ /10\.253\.23\..*/ or [srcip] =~
/10\.253\.31\..*/ or [srcip] =~ /10\.253\.32\..*/ or [srcip] =~
/10\.253\.33\..*/ or [srcip] =~ /10\.253\.41\..*/ or [srcip] =~
/10\.253\.42\..*/ or [srcip] =~ /10\.253\.43\..*/ or [srcip] =~
/10\.253\.51\..*/ or [srcip] =~ /10\.253\.52\..*/ or [srcip] =~
/10\.253\.53\..*/ or [srcip] =~ /10\.253\.0\..*/ or [srcip] =~
/10\.253\.14\..*/ or [srcip] =~ /10\.253\.15\..*/ or [srcip] =~
/10\.253\.16\..*/ or [srcip] =~ /10\.253\.24\..*/ or [srcip] =~
/10\.253\.25\..*/ or [srcip] =~ /10\.253\.26\..*/ or [srcip] =~
/10\.253\.34\..*/ or [srcip] =~ /10\.253\.35\..*/ or [srcip] =~
/10\.253\.36\..*/ or [srcip] =~ /10\.253\.44\..*/ or [srcip] =~
/10\.253\.45\..*/ or [srcip] =~ /10\.253\.46\..*/ or [srcip] =~
/10\.253\.54\..*/ or [srcip] =~ /10\.253\.55\..*/ or [srcip] =~
/10\.253\.56\..*/ or [srcip] =~ /10\.253\.81\..*/ or [srcip] =~
/10\.253\.82\..*/ or [srcip] =~ /10\.253\.83\..*/ or [srcip] =~
/10\.253\.84\..*/ or [srcip] =~ /10\.253\.85\..*/ or [srcip] =~
/10\.253\.86\..*/ or [srcip] =~ /192\.168\.2\..*/ or [srcip] =~
/192\.168\.220\..*/ or [srcip] =~ /192\.168\.221\..*/ {
mutate {
add_field => { "srcIpGeo.location" => [34.849950,32.094959] }
}
}
else if [srcip] =~ /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ {
geoip {
source => [srcip]
target => [srcIpGeo]
}
}
}
#GeoIP Assignments - DESTINATION IP
filter {
if [dstip] =~ /10\.253\.136\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.959167,32.788611] }
}
}
else if [dstip] =~ /10\.253\.146\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.870728,32.000733] }
}
}
else if [dstip] =~ /10\.253\.140\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.999214,32.812191] }
}
}
else if [dstip] =~ /10\.253\.128\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.848254,32.093627] }
}
}
else if [dstip] =~ /10\.253\.144\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [35.215627,31.781056] }
}
}
else if [dstip] =~ /10\.253\.1\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.966301,32.770949] }
}
}
else if [dstip] =~ /10\.253\.0\..*/ or [dstip] =~ /10\.253\.19\..*/ or
[dstip] =~ /10\.253\.11\..*/ or [dstip] =~ /10\.253\.12\..*/ or [dstip] =~
/10\.253\.13\..*/ or [dstip] =~ /10\.253\.21\..*/ or [dstip] =~
/10\.253\.22\..*/ or [dstip] =~ /10\.253\.23\..*/ or [dstip] =~
/10\.253\.31\..*/ or [dstip] =~ /10\.253\.32\..*/ or [dstip] =~
/10\.253\.33\..*/ or [dstip] =~ /10\.253\.41\..*/ or [dstip] =~
/10\.253\.42\..*/ or [dstip] =~ /10\.253\.43\..*/ or [dstip] =~
/10\.253\.51\..*/ or [dstip] =~ /10\.253\.52\..*/ or [dstip] =~
/10\.253\.53\..*/ or [dstip] =~ /10\.253\.0\..*/ or [dstip] =~
/10\.253\.14\..*/ or [dstip] =~ /10\.253\.15\..*/ or [dstip] =~
/10\.253\.16\..*/ or [dstip] =~ /10\.253\.24\..*/ or [dstip] =~
/10\.253\.25\..*/ or [dstip] =~ /10\.253\.26\..*/ or [dstip] =~
/10\.253\.34\..*/ or [dstip] =~ /10\.253\.35\..*/ or [dstip] =~
/10\.253\.36\..*/ or [dstip] =~ /10\.253\.44\..*/ or [dstip] =~
/10\.253\.45\..*/ or [dstip] =~ /10\.253\.46\..*/ or [dstip] =~
/10\.253\.54\..*/ or [dstip] =~ /10\.253\.55\..*/ or [dstip] =~
/10\.253\.56\..*/ or [dstip] =~ /10\.253\.81\..*/ or [dstip] =~
/10\.253\.82\..*/ or [dstip] =~ /10\.253\.83\..*/ or [dstip] =~
/10\.253\.84\..*/ or [dstip] =~ /10\.253\.85\..*/ or [dstip] =~
/10\.253\.86\..*/ or [dstip] =~ /192\.168\.2\..*/ or [dstip] =~
/192\.168\.220\..*/ or [dstip] =~ /192\.168\.221\..*/ {
mutate {
add_field => { "dstIpGeo.location" => [34.849950,32.094959] }
}
}
else if [dstip] =~ /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ {
geoip {
source => [dstip]
target => [dstIpGeo]
}
}
}
#Adding mobile devices info (Parsing UserAgent - especially Apple's) - See this
link: http://justworks.ca/blog/4c1-the-obscure-ios-user-agent-strings
filter {
#Device types
if ([httpUserAgent] =~ /Apple\-iPhone\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone3G/S" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone1C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone3G" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone2C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone3GS" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone3C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone4_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone3C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone4_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone3C3\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone4_CDMA" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone4C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone4S" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone5C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone5C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5_CDMA" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone5C3\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5C_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone5C4\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5C_CDMA" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone6C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5S_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone6C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone5S_CDMA" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPhone7C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPhone6" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPod2C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPodTouch2ndGen" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPod3C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPodTouch3rdGen" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPod4C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPodTouch4thGen" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPod5C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPodTouch5thGen" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad1C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad2WiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad2WiFi3G_GSM" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C3\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad2WiFi3G_CDMA" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C4\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadMiniWiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C5\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadMiniWiFiLTE" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad2C7\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadMiniWiFi_Cell" } #Don't
know yet if it's really GSM... categorizing as Cell. If at some point in the
future I will know that I will change the categorization. (YK, 2015-01-22T15:19)
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad3WiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad3WiFi4G" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C3\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad3WiFi4G" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C4\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad4WiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C5\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad4WiFi_GSM_NA_LTE" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad3C6\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPad4WiFi_CDMA_LTE" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad4C1\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadAirWiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad4C2\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadAirWiFiLTE" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad4C4\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadMiniRetinaWiFi" }
}
}
else if ([httpUserAgent] =~ /Apple\-iPad4C5\/.*/){
mutate {
add_field => { "mobile_device_type" => "Apple-iPadMiniRetinaWiFiLTE" }
}
}
else {
mutate {
add_field => { "mobile_device_type" => "unknown" }
}
}
#OS Versions - See this link:
http://justworks.ca/blog/4c1-the-obscure-ios-user-agent-strings
#2.x.x
if ([httpUserAgent] =~ /Apple-.*\/501\.347\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/502\.108\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/503\.001\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.0.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/505\.138\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.1.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/506\.136\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/507\.077\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/508\.11\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_2.2.1" }
}
}
#3.x.x
else if ([httpUserAgent] =~ /Apple-.*\/701\.341\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_3" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/701\.400\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_3.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/703\.144\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_3.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/704\.011\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_3.1.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/705\.018\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_3.1.3" }
}
}
#4.x.x
else if ([httpUserAgent] =~ /Apple-.*\/801\.293\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/801\.306\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/801\.400\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.0.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/802\.117\]/ or [httpUserAgent] =~
/Apple-.*\/802\.118\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/803\.148\]/ or [httpUserAgent] =~
/Apple-.*\/803\.14800001\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.128\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.5" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.200\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.6" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.303\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.7" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.401\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.8" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.501\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.9" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/805\.600\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.2.10" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/806\.190\]/ or [httpUserAgent] =~
/Apple-.*\/806\.191\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/807\.4\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/808\.7\]/ or [httpUserAgent] =~
/Apple-.*\/808\.8\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/810\.2\]/ or [httpUserAgent] =~
/Apple-.*\/810\.3\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3.3" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/811\.2\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3.4" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/812\.1\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_4.3.5" }
}
}
#5.x.x
else if ([httpUserAgent] =~ /Apple-.*\/901\.334\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_5" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/901\.40.\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_5.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/902\.17.\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_5.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/902\.206\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_5.1.1" }
}
}
#6.x.x
else if ([httpUserAgent] =~ /Apple-.*\/1001\.40.\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_6" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/1001\.52.\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_6.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/1002\.14.\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_6.1" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/1002\.146\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_6.1.2" }
}
}
else if ([httpUserAgent] =~ /Apple-.*\/1002\.329\]/ or [httpUserAgent] =~
/Apple-.*\/1002\.350\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_6.1.3" }
}
}
#7.x.x
else if ([httpUserAgent] =~ /Apple\-.*\/1101\.465\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1101\.470\]/ or [httpUserAgent] =~
/Apple\-.*\/1101\.47000001\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1101\.501\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.2" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1102\.511\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.3" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1102\.55400001\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.4" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1102\.601\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.5" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1102\.651\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.0.6" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1104\.167\]/ or [httpUserAgent] =~
/Apple\-.*\/1104\.169\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1104\.201\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.1.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1104\.257\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_7.1.2" }
}
}
#8.x.x
else if ([httpUserAgent] =~ /Apple\-.*\/1201\.365\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1201\.366\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8.0.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1201\.405\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8.0.2" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1202\.411\]/ or [httpUserAgent] =~
/Apple\-.*\/1202\.410\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1202\.436\]/ or [httpUserAgent] =~
/Apple\-.*\/1202\.435\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8.1.1" }
}
}
else if ([httpUserAgent] =~ /Apple\-.*\/1202\.440\]/ or [httpUserAgent] =~
/Apple\-.*\/1202\.445\]/){
mutate {
add_field => { "mobile_device_os" => "IOS_8.1.2" }
}
}
else {
mutate {
add_field => { "mobile_device_os" => "unknown" }
}
}
}
#Formatting the CapMe url link
filter {
mutate {
gsub => [
# replace spaces with proper encoding in CapMe URLs
"RawPackets", " ", "%20"
]
}
}
#NOTE: This line is automatically changed to the current date by the
/shared/scripts/apply-ls script. DO NOT CHANGE THIS MANUALLY - YOUR CHANGE WILL
BE OVERWRITTEN !!
filter {
mutate {
add_field => { "logstash_filters_version" =>
"ver_2015-02-09T05-51-05(1423453865)" }
}
}
#NOTE: The cluster name is automatically changed to the current date by the
/shared/scripts/edit-ls script. DO NOT CHANGE THIS MANUALLY - YOUR CHANGE WILL
BE OVERWRITTEN !!
output {
elasticsearch {
host => "localhost"
cluster => "mvs-es-test"
protocol => http
#embedded => false
#protocol => node
}
}
#output {
# file {
# path => "/srv/logstash/logstash-backlog_%{+YYYY-MM-dd}.log"
# }
#}
logstash.log
Description: Binary data
mvs-es.log
Description: Binary data
