Pipeline for firewalls logs

(Salma Ait Lhaj) #1


I want to create pipeline in graylog like we create in logstash in order to separate filds !!
Can someone help me please ?

I have logs from firewalls (Cisco-asa, Fortigate, Paloalto)

(Jochen) #2

Take a look at the documentation for the processing pipeline:

There are also a few blog posts on the Graylog blog which demonstrate various use cases:

(Salma Ait Lhaj) #3

You are not helping me with links, because I already have them.

I think to parse logs I don’t need the pipelines, can I give you my logstash configuration and tell me how can I do the same with graylog ?

(M D) #4

may be using grok patterns in logstash will hep

(Salma Ait Lhaj) #5

With cisco-asa log I parsed logs with grok, can you help me with paloalto logs :

1,2018/06/21 14:16:40,0009C101283,TRAFFIC,start,0,2018/06/21 14:16:40,,,,,KEOLIS OUT PUBLIC IP,,,ssl,vsys1,DMZ,Internet,ae2.1801,ae1.849,frghcslnetv03-04,2018/06/21 14:16:40,34302707,1,12173,443,0,0,0x0,tcp,allow,483,405,78,4,2018/06/21 14:16:41,0,any,0,97437831801,0x0,FR,CA,0,3,1,n/a,0,0,0,0,CTX_PROD,frghcfwdmz01m,from-policy

In logstash I parse them with : CSV filter

(M D) #6

You have to use grok pattern in logstash and output it in json and you will have the fields in json format.


Also you might want to put a post on Elastic forum.

(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.