Grok pattern for proxmox firewall logs asking for advice

Graylog Central (peer support)
1

Hey all,

I’m pretty new to graylog and I’m starting to ingest all types of logs. I’m already processing json logs from my docker hosts and also syslog from my hosts. I also just upgraded to 5.0, the upgrade went super smooth!

Now to my question: One of my hypervisors is proxmox and it has a built in firewall. The logs this firewall produces look like this for tcp:

proxmoxhostname pvefw 123 6 tap123i0-IN 03/Jan/2023:19:11:20 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=tap123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=12345 PROTO=TCP SPT=59763 DPT=12345 SEQ=1234567890 ACK=0 WINDOW=1024 SYN

and like this for udp:

proxmoxhostname pvefw 123 6 veth123i0-IN 03/Jan/2023:19:43:23 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=veth123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=76 TOS=0x00 PREC=0x00 TTL=242 ID=12321 PROTO=UDP SPT=43605 DPT=123 LEN=56

I tried my best with my grok beginner skills but couldn’t progress after getting stuck on trying to extract the policy correctly. I tried using some online debugger but I’m just not familiar enough with the syntax yet to figure it out.

Here is what I got so far:
%{WORD:pve} %{WORD:pvefw} %{INT:vmid} %{INT:dontknow} %{USERNAME:interface} %{HTTPDATE:interface}

Appreciate any type of help! Please let me know if you need more info.

Thanks!

2

Hello @Impac && Welcome

Couple questions. Have you tested each one of those GROK patterns to see if they work?
Are you trying to combine all those GROK patterns together?

3

Hi @Impac,

it helps if you reduce the complexity first.

it is set by Proxmox…

proxmoxhostname pvefw 123 6 tap123i0-IN

and that comes from IPTables

03/Jan/2023:19:11:20 +0100 policy DROP: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=fwln123i0 PHYSOUT=tap123i0 MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=123.123.123.123 DST=456.456.456.456 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=12345 PROTO=TCP SPT=59763 DPT=12345 SEQ=1234567890 ACK=0 WINDOW=1024 SYN

here a GROK could start like this…

%{DATA:fw_timestamp} policy %{WORD:fw_Action}: IN=%{WORD:fw_inif} OUT=%{WORD:fw_outif} ....

and then you put both together…

PROXMOX_HEAD %{WORD:pve} %{WORD:pvefw} %{INT:vmid} %{INT:dontknow}  %{USERNAME:interface} %{HTTPDATE:interface}

PROXMOX_FW %{DATA:fw_timestamp} policy %{WORD:fw_Action}: IN=%{WORD:fw_inif} OUT=%{WORD:fw_outif} .....

PROXMOX_FULL %{PROXMOX_HEAD} %{PROXMOX_FW}

PROXMOX_HEAD, PROXMOX_FW and PROXMOX_FULL is the name of GROK Scripts.

The %{PROXMOX_FULL} can you put in the extractor.

Good luck!

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.