Hi,
does anybody has an idea, what the mistakes could be in my grok pattern? I like to implement it in a graylog pipeline. I already spent some hours and have no clue, why the pattern does not work completely.
here the pattern:
.*device_model="%{DATA:device_model}" device_serial_id="%{DATA:device_serial_id}" .*log_component="%{DATA:log_component}" .severity="%{LOGLEVEL:severity}." .*fw_rule_name="%{DATA:fw_rule_name}" (app_name="%{DATA:app_name}" app_risk=%{INT:app_risk} app_technology="%{DATA:app_technology}")?.*dst_mac="%{DATA:dst_mac}" .protocol="%{DATA:protocol}" (icmp_type=%{INT:icmp_type} )?(icmp_code=%{INT:icmp_code} )?(src_trans_ip="%{IP:src_trans_ip}" )?(src_zone_type="%{DATA:src_zone_type}" src_zone="%{DATA:src_zone}" dst_zone_type="%{DATA:dst_zone_type}" dst_zone="%{DATA:dst_zone}" )?.
Here 2 test samples:
device_name=“SFW” timestamp=“2024-01-04T13:45:08+0100” device_model=“XGS4500” device_serial_id=“X45011CHDCWPXB4” log_id=“010101600001” log_type=“Firewall” log_component=“Firewall Rule” log_subtype=“Allowed” log_version=1 severity=“Information” fw_rule_id=“201” fw_rule_name=“bla” fw_rule_section=“Local rule” nat_rule_id=“2” nat_rule_name=“Default MASQ” fw_rule_type=“USER” gw_id_request=1 gw_name_request=“WAN1” app_name=“DNS” app_risk=1 app_technology=“Network Protocol” app_category=“Infrastructure” ether_type=“Unknown (0x0000)” in_interface=“LAG0” out_interface=“Port2” src_mac=“00:00:00:B5:1C:24” dst_mac=“00:00:00:FC:0A:09” src_ip=“10.1.11.1” src_country=“SGP” dst_ip=“8.8.8.8” dst_country=“USA” protocol=“UDP” src_port=63677 dst_port=53 src_trans_ip=“8.8.8.8” src_zone_type=“LAN” src_zone=“LAN” dst_zone_type=“WAN” dst_zone=“WAN” con_event=“Start” con_id=“292786601” hb_status=“No Heartbeat” app_resolved_by=“Signature” app_is_cloud=“FALSE” qualifier=“New” in_display_interface=“blobb” out_display_interface=“blux” log_occurrence=“1”
device_name=“SFW” timestamp=“2023-12-29T18:03:03+0100” device_model=“XGS4500” device_serial_id=“X45011CHDCWPXB4” log_id=“010101600001” log_type=“Firewall” log_component=“Firewall Rule” log_subtype=“Allowed” log_version=1 severity=“Information” fw_rule_id=“38” fw_rule_name=“blubb” fw_rule_section=“Local rule” nat_rule_id=“0” fw_rule_type=“USER” ether_type=“Unknown (0x0000)” in_interface=“LAG0.4” out_interface=“LAG0” src_mac=“00:00:00:00:1B:4F” dst_mac=“00:00:00:FC:0A:09” src_ip=“192.168.4.11” src_country=“R1” dst_ip=“10.1.11.2” dst_country=“USA” protocol=“ICMP” icmp_type=8 src_zone_type=“DMZ” src_zone=“DMZ” dst_zone_type=“LAN” dst_zone=“LAN” con_event=“Start” con_id=“3808307646” hb_status=“No Heartbeat” app_resolved_by=“Signature” app_is_cloud=“FALSE” qualifier=“New” in_display_interface=“bli-192.168.4.1” out_display_interface=“blobb” log_occurrence=“1”
Here the result from https://grokdebugger.com/
[
{
“device_model”: “XGS4500”,
“device_serial_id”: “X45011CHDCWPXB4”,
“log_component”: “Firewall Rule”,
“severity”: “Information”,
“fw_rule_name”: “bla”,
“dst_mac”: “00:00:00:FC:0A:09”,
“protocol”: “UDP”
},
{
“device_model”: “XGS4500”,
“device_serial_id”: “X45011CHDCWPXB4”,
“log_component”: “Firewall Rule”,
“severity”: “Information”,
“fw_rule_name”: “blubb”,
“dst_mac”: “00:00:00:FC:0A:09”,
“protocol”: “ICMP”,
“icmp_type”: 8,
“src_zone_type”: “DMZ”,
“src_zone”: “DMZ”,
“dst_zone_type”: “LAN”,
“dst_zone”: “LAN”
}
]
Here the problem:
In the first sample the variables src_trans_ip, src_zone_type, src_zone, dst_zone_type and dst_zone don’t get extracted
in the 2nd sample, the variable src_trans_ip is missing.
Would be great if someone help me to understand, why it is not working.