filter{

grok{
match => { "whole" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST
:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:
syslog_message}" }
}
date {
match => [ "syslog_timestamp", MMM d HH:mm:ss", "MMM dd HH:mm:ss
" ]
}
}
filter{
grok{
match => { "whole" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST
:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:
syslog_message}" }
}
date {
match => [ "syslog_timestamp", MMM d HH:mm:ss", "MMM dd HH:mm:ss
" ]
}
}
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:d
irection})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_inte
rface}:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_mapped_ip}/%{INT:src_mapped_port
}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_p
ort}( \(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%
{DATA:user}\))?
May 27 00:00:00 gprs-ct-asa01 %ASA-6-302014:
# ASA-6-302020_302021 inbound
CISCOFW302020_302021_1 %{CISCO_ACTION:action}(?: (?<direction>inbound))? %{WORD:
protocol} connection for faddr %{IP:src_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuse
r}\))? gaddr %{IP:dst_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:dst_ip}/%{IN
T:icmp_code}( \(%{DATA:user}\))?
# ASA-6-302020_302021 outbound
CISCOFW302020_302021_2 %{CISCO_ACTION:action}(?: (?<direction>outbound))? %{WORD
:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwus
er}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{I
NT:icmp_code}( \(%{DATA:user}\))?

================================================================================
=========================================
# ASA-6-302020_302021 inbound
CISCOFW302020_302021_1 %{CISCO_ACTION:action}(?: (?<direction>inbound))? %{WORD:
protocol} connection for faddr %{IP:src_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuse
r}\))? gaddr %{IP:dst_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:dst_ip}/%{IN
T:icmp_code}( \(%{DATA:user}\))?
# ASA-6-302020_302021 outbound
CISCOFW302020_302021_2 %{CISCO_ACTION:action}(?: (?<direction>outbound))? %{WORD
:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwus
er}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{I
NT:icmp_code}( \(%{DATA:user}\))?

ASA-6-602304 outbound CISCOFW602303_602304_2 %{WORD:protocol}: An (?<direction>outbound) %{GREEDYDATA: tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:dst_ip} and %{IP:dst_ip} \(use r= %{DATA:user}\) has been %{CISCO_ACTION:action} ================================================================================ ==================================================== mkdir -p logstash/filters/ cd logstash/filters # Call this file 'foo. ASA-6-302016 outbound CISCOFW302013_302014_302015_302016_2 %{CISCO_ACTION:action}(?: (?<direction>outb ound))? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:dst_interfac e}:%{IP:dst_ip}/%{INT:dst_port}( \(%{IP:dst_xlated_ip}/%{INT:dst_xlated_port}\)) ?(\(%{DATA:dst_fwuser}\))? to %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} ( \(%{IP:src_xlated_ip}/%{INT:src_xlated_port}\))?(\(%{DATA:src_fwuser}\))?( dur ation %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DAT A:user}\))? # ASA-6-602303. as above) . ASA-2-106007 inbound CISCOFW106006_106007_1 %{CISCO_ACTION:action} (?<direction>inbound) %{WORD:proto col} from %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? to %{IP:dst_ip}/ %{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface %{DATA:interface}|due t o %{CISCO_REASON:reason}) # ASA-2-106006. ASA-6-602304 inbound CISCOFW602303_602304_1 %{WORD:protocol}: An (?<direction>inbound) %{GREEDYDATA:t unnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user = %{DATA:user}\) has been %{CISCO_ACTION:action} # ASA-6-602303.# ASA-2-106001 inbound CISCOFW106001_1 (?<direction>Inbound) %{WORD:protocol} connection %{CISCO_ACTION :action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface} # ASA-2-106001 outbound CISCOFW106001_2 (?<direction>Outbound) %{WORD:protocol} connection %{CISCO_ACTIO N:action} from %{IP:dst_ip}/%{INT:dst_port} to %{IP:src_ip}/%{INT:src_port} flag s %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface} # ASA-2-106006. ASA-6-302015. ASA-6-302016 inbound CISCOFW302013_302014_302015_302016_1 %{CISCO_ACTION:action}(?: (?<direction>inbo und))? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface }:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_xlated_ip}/%{INT:src_xlated_port}\))? (\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \(%{IP:dst_xlated_ip}/%{INT:dst_xlated_port}\))?(\(%{DATA:dst_fwuser}\))?( dura tion %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DATA :user}\))? # ASA-6-302013. ASA-6-302014. ASA-6-302014. ASA-6-302015.rb' (in logstash/filters. ASA-2-106007 outbound CISCOFW106006_106007_2 %{CISCO_ACTION:action} (?<direction>outbound) %{WORD:prot ocol} from %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? to %{IP:src_ip} /%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason}) # ASA-2-106010 CISCOFW106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protoco l} src %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? dst %{IP:dst_ip}/%{ INT:dst_port}(\(%{DATA:dst_fwuser}\))? # ASA-6-302013.

:validate => :string public def register # nothing to do end # def register public def filter(event) # return nothing unless there's an actual filter event return unless filter?(event) if @message # Replace the event message with our message as configured in the # config file. config :message. In our case. } # } config_name "foo" # New plugins should start life at milestone 1. milestone 1 # Replace the message with this value.require "logstash/filters/base" require "logstash/namespace" class LogStash::Filters::Foo < LogStash::Filters::Base # Setting the config_name here is required. it's the current directory. event["message"] = @message end # filter_matched should go in the last line of our successful code filter_matched(event) end # def filter end # class LogStash::Filters::Foo #example. % bin/logstash --pluginpath your/plugin/root -f example.. This is how you # configure this filter from your logstash config. # # filter { # foo { .conf .conf input { stdin { type => "foo" } } filter { if [type] == "foo" { foo { message => "Hello world!" } } } output { stdout { } } You can use the agent flag --pluginpath flag to specify where the root of your p lugin tree is..

495000Z stdin://snack.conf the quick brown fox 2011-05-12T01:05:09.% bin/logstash -f example. but in this case our "the qui ck brown fox" message was replaced with "Hello world!" All done! :) .home/: Hello world! The output is the standard logstash stdout output.

Sign up to vote on this title
UsefulNot useful