Grok pattern for proxmox firewall logs asking for advice

Impac · January 3, 2023, 7:02pm

Hey all,

I’m pretty new to graylog and I’m starting to ingest all types of logs. I’m already processing json logs from my docker hosts and also syslog from my hosts. I also just upgraded to 5.0, the upgrade went super smooth!

Now to my question: One of my hypervisors is proxmox and it has a built in firewall. The logs this firewall produces look like this for tcp:

proxmoxhostname pvefw 123 6 tap123i0-IN 03/Jan/2023:19:11:20 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=tap123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=12345 PROTO=TCP SPT=59763 DPT=12345 SEQ=1234567890 ACK=0 WINDOW=1024 SYN

and like this for udp:

proxmoxhostname pvefw 123 6 veth123i0-IN 03/Jan/2023:19:43:23 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=veth123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=76 TOS=0x00 PREC=0x00 TTL=242 ID=12321 PROTO=UDP SPT=43605 DPT=123 LEN=56

I tried my best with my grok beginner skills but couldn’t progress after getting stuck on trying to extract the policy correctly. I tried using some online debugger but I’m just not familiar enough with the syntax yet to figure it out.

Here is what I got so far:
%{WORD:pve} %{WORD:pvefw} %{INT:vmid} %{INT:dontknow} %{USERNAME:interface} %{HTTPDATE:interface}

Appreciate any type of help! Please let me know if you need more info.

Thanks!

gsmith · January 4, 2023, 12:17am

Hello @Impac && Welcome

Couple questions. Have you tested each one of those GROK patterns to see if they work?
Are you trying to combine all those GROK patterns together?

H077E · January 4, 2023, 6:30pm

Hi @Impac,

it helps if you reduce the complexity first.

it is set by Proxmox…

proxmoxhostname pvefw 123 6 tap123i0-IN

and that comes from IPTables

03/Jan/2023:19:11:20 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=tap123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=12345 PROTO=TCP SPT=59763 DPT=12345 SEQ=1234567890 ACK=0 WINDOW=1024 SYN

here a GROK could start like this…

%{DATA:fw_timestamp} policy %{WORD:fw_Action}: IN=%{WORD:fw_inif} OUT=%{WORD:fw_outif} ....

and then you put both together…

PROXMOX_HEAD %{WORD:pve} %{WORD:pvefw} %{INT:vmid} %{INT:dontknow}  %{USERNAME:interface} %{HTTPDATE:interface}

PROXMOX_FW %{DATA:fw_timestamp} policy %{WORD:fw_Action}: IN=%{WORD:fw_inif} OUT=%{WORD:fw_outif} .....

PROXMOX_FULL %{PROXMOX_HEAD} %{PROXMOX_FW}

PROXMOX_HEAD, PROXMOX_FW and PROXMOX_FULL is the name of GROK Scripts.

The %{PROXMOX_FULL} can you put in the extractor.

Good luck!

system · January 18, 2023, 6:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1384	May 24, 2022
Grok pattern for sophos xgs Firewall messages Graylog Central (peer support) grok-patternspl	2	343	January 19, 2024
Grok Pattern in Pipelines Graylog Central (peer support)	5	39	October 17, 2024
Grok pattern for sonicwall firewall logs Graylog Central (peer support)	6	1774	October 15, 2019
Grok pattern for dd-wrt syslog input Graylog Central (peer support)	4	1325	October 16, 2017

Grok pattern for proxmox firewall logs asking for advice

Related topics