Hi everyone,
I’m trying to extract data from UFW logs using regex/GROK but I can’t find how to get only the data I want. Maybe some of you could help me to see clear through these tools ?
This is the log I’m trying to parse (IPs are anonymized):
Aug 9 11:47:32 servername kernel: [1045486.294558] [UFW BLOCK] IN=ens000 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=52948 DF PROTO=TCP SPT=23550 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
And here is my custom grok pattern :
DPT=(?<data>[\d]+)
The result that comes is
{
"UFW_DST_PORT": "DPT=23",
"data": "23"
}
I made a pipeline to add new fields, the rule is here :
rule "UFW IN/OUT/PORT"
when
has_field("log_application") && to_string($message.log_application) == "ufw"
then
let msg = to_string($message.message);
let ufw_source = grok(pattern:"%{UFW_IP_SRC}", value: msg, only_named_captures:true);
let ufw_destination = grok(pattern:"%{UFW_IP_DST}", value: msg, only_named_captures:true);
let ufw_port = grok(pattern:"%{UFW_DST_PORT}", value: msg, only_named_captures:true);
let ufw_protocol = grok(pattern:"%{UFW_PROTO}", value: msg, only_named_captures:true);
let ufw_action = grok(pattern:"%{UFW_ACTION}", value: msg, only_named_captures:true);
set_field("ufw-source", ufw_source);
set_field("ufw-destination", ufw_destination);
set_field("ufw-port", ufw_port);
set_field("ufw-protocol", ufw_protocol);
set_field("ufw-action", ufw_action);
end
Which seems quite good, until I see the way it turns out into the logs ; just like this
Wht I want to do is have only the “TCP” part of the message and get rid of all the “data” and “{”“}” stuff. I don’t understand how to proceed in order to get this.
Thanks in advance for your help !