Logstash Grok 解析防火牆日志

尊寶雷 2021-09-18 14:25:07 阅读数:950

logstash grok 解析 防火 日志

一、Logstash解析華為防火牆日志示例
1.防火牆日志:

"<190>Sep 18 2021 04:10:29 DJI-WL-FW-USG6620E-01 %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=17, source-ip=192.99.19.56, source-port=50585, destination-ip=192.9.2.87, destination-port=8456, time=2021/9/18 12:10:29, source-zone=Kaifa_CT_01, destination-zone=Internal, application-name=firewall, rule-name=rule_370.\u0000"

2.grok 解析語法

(?<time>%{MONTH}\s%{MONTHDAY}\s%{YEAR}\s%{TIME}) %{HOSTNAME:name} %%01POLICY/6/%{WORD:action}\(l\):vsys=%{WORD:vsys}, protocol=%{INT:protocol}, source-ip=%{IP:source_ip}, source-port=%{INT:source_port}, destination-ip=%{IP:destination_ip}, destination-port=%{INT:destination_port}, time=(?<session_time>%{YEAR}/%{MONTHNUM}/%{MONTHDAY}\s%{TIME}), source-zone=%{WORD:source_zone}, destination-zone=%{WORD:destinatione_zone}, (application-name=|application-name=%{WORD:application_name}), rule-name=%{WORD:rule_name}

3.解析結果

{
"vsys": "public",
"destination_port": "8456",
"rule_name": "rule_370",
"source_zone": "Kaifa_CT_01",
"session_time": "2021/9/18 12:10:29",
"source_ip": "192.99.19.56",
"protocol": "17",
"destination_ip": "192.9.2.87",
"destinatione_zone": "Internal",
"application_name": "firewall",
"source_port": "50585",
"name": "DJI-WL-FW-USG6620E-01",
"action": "POLICYPERMIT",
"time": "Sep 18 2021 04:10:29"
}
版权声明:本文为[尊寶雷]所创,转载请带上原文链接,感谢。 https://gsmany.com/2021/09/20210918142506515l.html