Giters

allamiro / Linux-Scripts

Collection of a very useful Bash shell script developed by me or found on the web.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

grok2

allamiro opened this issue · comments

commented

input {
file {
path => "/path/to/your/vmware/logfile.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:vmware_timestamp} %{GREEDYDATA:vmware_message}" }
}

mutate {
add_field => {
"CEFVersion" => "0"
"DeviceVendor" => "VMware"
"DeviceProduct" => "YourVMwareProduct"
"DeviceVersion" => "YourVMwareVersion"
"DeviceEventClassId" => "YourVMwareEventID"
"Name" => "%{vmware_message}"
"Severity" => "Unknown" # Assuming a default value, you can change it according to your needs.
}
replace => { "message" => "CEF:%{CEFVersion}|%{DeviceVendor}|%{DeviceProduct}|%{DeviceVersion}|%{DeviceEventClassId}|%{Name}|%{Severity}|rt=%{vmware_timestamp}" }
}
}

output {
file {
path => "/path/to/output/file"
}
}

commented

input {
file {
path => "/path/to/your/cisco/logfile.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{CISCOTIMESTAMP:cisco_timestamp}: %{CISCO_REASON:cisco_reason}: %{CISCO_ACTION:cisco_action}: %{CISCOFW106023}" }
}

mutate {
add_field => {
"CEFVersion" => "0"
"DeviceVendor" => "Cisco"
"DeviceProduct" => "YourCiscoProduct"
"DeviceVersion" => "YourCiscoVersion"
"DeviceEventClassId" => "YourCiscoEventID"
"Name" => "%{cisco_reason}"
"Severity" => "Unknown" # Assuming a default value, you can change it according to your needs.
}
replace => { "message" => "CEF:%{CEFVersion}|%{DeviceVendor}|%{DeviceProduct}|%{DeviceVersion}|%{DeviceEventClassId}|%{Name}|%{Severity}|rt=%{cisco_timestamp} src=%{src_ip} spt=%{src_port} dst=%{dst_ip} dpt=%{dst_port} proto=%{protocol} act=%{cisco_action}" }
}
}

output {
file {
path => "/path/to/output/file"
}
}

commented

input {
file {
path => "/path/to/your/logfile.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{GREEDYDATA:log_message}" }
# Replace the above grok pattern according to your log format
}

mutate {
add_field => {
"CEFVersion" => "0"
"DeviceVendor" => "YourVendor"
"DeviceProduct" => "YourProduct"
"DeviceVersion" => "YourVersion"
"DeviceEventClassId" => "YourEventID"
"Name" => "%{log_message}"
"Severity" => "Unknown" # Assuming a default value, you can change it according to your needs.
}
replace => { "message" => "CEF:%{CEFVersion}|%{DeviceVendor}|%{DeviceProduct}|%{DeviceVersion}|%{DeviceEventClassId}|%{Name}|%{Severity}" }
# Include additional fields from the log_message into the CEF message as needed.
}
}

output {
file {
path => "/path/to/output/file"
}
}