# NetScreen firewall logs NETSCREENSESSIONLOG - Now is RFC5424, so not parsing.
dneto82 opened this issue · comments
Hi Friends,
Trying to implement logstash to collect data from my netscreen devices (6.3.0r21), but i noticed the syslog format wasn`t parsed correctly. After some grok search I noticed the log format is RFC5424.
Sample:
`<189>SSG-SITE1175: NetScreen device_id=SSG-SITE1175 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:27" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=40 src=172.30.144.251 dst=224.0.0.18 session_id=0 reason=Traffic Denied
<133>SSG-SITE0006: NetScreen device_id=SSG-SITE0006 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:28" duration=0 policy_id=89 service=dns proto=17 src zone=ZONE-A dst zone=Untrust action=Permit sent=0 rcvd=0 src=172.23.110.3 dst=192.31.1192.60 src_port=51435 dst_port=53 src-xlated ip=172.23.110.3 port=51435 dst-xlated ip=192.31.1192.60 port=53 session_id=7004 reason=Creation
`
My conf:
`input {
tcp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
udp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
} # Input Block END
filter {
if [type] == "syslog" {
grok {
match => ["message", "%{NETSCREENSESSIONLOG}"]
}
}
} # Filter Block END
output {
if "traffic" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "firewall-traffic-%{+YYYY.MM}"
`
- Version:
www-apps/kibana-bin-4.5.1::gentoo
app-admin/logstash-bin-2.3.3::gentoo
app-misc/elasticsearch-2.3.3::gentoo - Operating System: Funtoo x64
I Think this can be related to this enchancement.
Now I`m trying to make a new grok pattern
Hi,
are you sure that it's really RFC5424? If I got it right, the VERSION number (the one after the PRI) isn't optional, and the timestamp is missing/out of place.
It looks like a custom format.