If you are asking for Syslog from Bro following is
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path syslog
#open 2019-02-26-00-00-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility
severity message
#types time string addr port addr port enum string string string
1551121201.339249 CEyre817MtElGE642a 10.2.2.1 514 172.16.4.18 514 udp LOCAL5
NOTICE Feb 26 00:00:01 suricata[1546]: [Drop] [1:51000003:0]
OPN_Social_Media - Facebook - DNS request for facebook.com [Classification:
Social-Media app detection by OPNsense] [Priority: 2] {UDP} 10.2.2.153:39445
-> 8.8.8.8:53
On Tue, Feb 26, 2019 at 10:32 AM Farrukh Naveed Anjum <
[email protected]> wrote:
> {
> "_index": "bro_index_2019.02.26.10",
> "_type": "bro_doc",
> "_id": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
> "_version": 1,
> "_score": null,
> "_source": {
> "bro_timestamp": "1551159048.102709",
> "ip_dst_port": 514,
> "adapter:geoadapter:begin:ts": "1551159049014",
> "parallelenricher:enrich:end:ts": "1551159049017",
> "uid": "CEyre817MtElGE642a",
> "protocol": "syslog",
> "source:type": "bro",
> "adapter:threatinteladapter:end:ts": "1551159049016",
> "original_string": "SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a
> id.orig_p:514 id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26
> 10:30:48 suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook
> - DNS request for facebook.com [Classification: Social-Media app
> detection by OPNsense] [Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53
> facility:LOCAL5 ts:1551159048.102709 id.resp_h:172.16.4.18",
> "ip_dst_addr": "172.16.4.18",
> "adapter:hostfromjsonlistadapter:end:ts": "1551159049014",
> "adapter:geoadapter:end:ts": "1551159049015",
> "ip_src_addr": "10.2.2.1",
> "timestamp": 1551159048102,
> "severity": "NOTICE",
> "parallelenricher:enrich:begin:ts": "1551159049016",
> "adapter:hostfromjsonlistadapter:begin:ts": "1551159049014",
> "message": "Feb 26 10:30:48 suricata[1546]: [Drop] [1:51000003:0]
> OPN_Social_Media - Facebook - DNS request for facebook.com
> [Classification: Social-Media app detection by OPNsense] [Priority: 2]
> {UDP} 10.2.2.115:25269 -> 8.8.8.8:53",
> "parallelenricher:splitter:begin:ts": "1551159049016",
> "ip_src_port": 514,
> "proto": "udp",
> "parallelenricher:splitter:end:ts": "1551159049016",
> "adapter:threatinteladapter:begin:ts": "1551159049016",
> "guid": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
> "facility": "LOCAL5"
> },
> "fields": {
> "parallelenricher:enrich:begin:ts": [
> 1551159049016
> ],
> "adapter:geoadapter:begin:ts": [
> 1551159049014
> ],
> "adapter:hostfromjsonlistadapter:begin:ts": [
> 1551159049014
> ],
> "parallelenricher:enrich:end:ts": [
> 1551159049017
> ],
> "parallelenricher:splitter:begin:ts": [
> 1551159049016
> ],
> "adapter:threatinteladapter:end:ts": [
> 1551159049016
> ],
> "adapter:hostfromjsonlistadapter:end:ts": [
> 1551159049014
> ],
> "parallelenricher:splitter:end:ts": [
> 1551159049016
> ],
> "adapter:threatinteladapter:begin:ts": [
> 1551159049016
> ],
> "adapter:geoadapter:end:ts": [
> 1551159049015
> ],
> "timestamp": [
> 1551159048102
> ]
> },
> "highlight": {
> "original_string": [
> "SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a id.orig_p:514
> id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26 10:30:48
> suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
> request for facebook.com [@kibana-highlighted-field@Classification
> @/kibana-highlighted-field@: Social-Media app detection by OPNsense]
> [Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53 facility:LOCAL5
> ts:1551159048.102709 id.resp_h:172.16.4.18"
> ]
> },
> "sort": [
> 1551159048102
> ]
> }
>
> On Thu, Feb 21, 2019 at 8:00 PM Otto Fowler <[email protected]>
> wrote:
>
>> Can you find an instance of one of these logs in Kibana or ES and give us
>> a sanitized version of that?
>>
>>
>>
>> On February 21, 2019 at 02:55:09, Farrukh Naveed Anjum (
>> [email protected]) wrote:
>>
>> Hi this is the original event received to bro
>>
>> SYSLOG | *severity:*NOTICE uid:CN4kU02atBGK0qlA5g *id.orig_p*:514
>> *id.resp_p*:514 *proto*:udp id.orig_h:10.2.2.1 *message*:Feb 21 12:46:50
>> suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
>> request for facebook.com [Classification: Social-Media app detection by
>> OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 -> 114.114.114.114:53
>> *facility:*LOCAL5 ts:1550735210.67931 id.resp_h:172.16.4.18
>>
>>
>> All I am asking is to further extract *message*
>> Feb 21 12:46:50 suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media -
>> Facebook - DNS request for facebook.com [Classification: Social-Media
>> app detection by OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 ->
>> 114.114.114.114:53
>>
>> Following is the default parser for bro.
>> {
>> "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
>> "filterClassName":null,
>> "sensorTopic":"bro",
>> "outputTopic":null,
>> "errorTopic":null,
>> "writerClassName":null,
>> "errorWriterClassName":null,
>> "readMetadata":false,
>> "mergeMetadata":false,
>> "numWorkers":null,
>> "numAckers":null,
>> "spoutParallelism":1,
>> "spoutNumTasks":1,
>> "parserParallelism":1,
>> "parserNumTasks":1,
>> "errorWriterParallelism":1,
>> "errorWriterNumTasks":1,
>> "spoutConfig":{
>>
>> },
>> "securityProtocol":null,
>> "stormConfig":{
>>
>> },
>> "parserConfig":{
>>
>> },
>> "fieldTransformations":[
>>
>> ],
>> "cacheConfig":{
>>
>> },
>> "rawMessageStrategy":"DEFAULT",
>> "rawMessageStrategyConfig":{
>>
>> }
>> }
>> Can you please tell me how can i extract *Classification*, *Priority*,
>> *UDP* (*From*) --> (*To*) IP.
>> How can I extract fields and apply the Parser Chaining in it ?
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 20, 2019 at 10:08 PM Simon Elliston Ball <
>> [email protected]> wrote:
>>
>>> You might like to look into parser chaining for this:
>>> https://metron.apache.org/current-book/metron-platform/metron-parsers/ParserChaining.html
>>>
>>> Simon
>>>
>>> On 20 Feb 2019, at 16:47, Farrukh Naveed Anjum <[email protected]>
>>> wrote:
>>>
>>> Yes, I am using BRO Parser, Can I sub divide the *message* field
>>>
>>> On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <[email protected]>
>>> wrote:
>>>
>>>> Can you print what the fields are after parsing? These are the fields
>>>> that you will be able to use Stellar on, to possibly extract your info.
>>>> Are you using the Bro parser?
>>>>
>>>>
>>>> On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum (
>>>> [email protected]) wrote:
>>>>
>>>> Hi,
>>>> I wanted to know how can I define and extract a field in parser from
>>>> messages. With If It Exists like option
>>>>
>>>> For example. I am using Bro Syslog. Following is a sample data
>>>>
>>>> SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514
>>>> proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]:
>>>> [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted
>>>> Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 ->
>>>> 10.2.2.202:52012 facility:LOCAL5 ts:1550646678.442785
>>>> id.resp_h:172.16.4.18
>>>>
>>>> From Message Field, I want to extract Classification, Priority and TCP
>>>> From -> To IPs.
>>>>
>>>> Can I make some kind of configurations in Bro Parser to get this
>>>> information Back As
>>>>
>>>> *Classification* <String>
>>>> *Priority* <String>
>>>> *TCP* From <IP>
>>>> *TCP* To <IP>
>>>>
>>>> Any guidance will be great help.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> With Regards
>>>> Farrukh Naveed Anjum
>>>>
>>>>
>>>
>>> --
>>> With Regards
>>> Farrukh Naveed Anjum
>>>
>>>
>>
>> --
>> With Regards
>> Farrukh Naveed Anjum
>>
>>
>
> --
> With Regards
> Farrukh Naveed Anjum
>
--
With Regards
Farrukh Naveed Anjum
