Cisco FirePOWER GROK Extractors for Graylog

Cisco FirePOWER GROK Extractors for Graylog


View on Github
Open Issues

UPDATED 10/6/2017: Added more lines to include various formats for web traffic detection. Seems to catch all HTTP/HTTPS now.

My first attempt at making an extractor for Graylog.

Tested and (mostly) working, probably horribly inefficient, but working well in our small, 1-firewall environment on FirePOWER version 6.1.0-330, and from what I gather, different versions can be problematic since the extractors that were already posted up on GitHub weren’t working for me and were built on a slightly older 6.x version.

Open to comments, criticism, etc. I’m a network admin, not a developer.

For those new to Graylog and working with Grok/extractors, just download the .JSON file and import it into Graylog using a “Raw/Plaintext UDP” Input for FirePOWER. Point your FirePOWER syslogs to your Graylog server IP:port.