Permalink
Switch branches/tags
Nothing to show
Find file Copy path
ab761e2 May 2, 2016
1 contributor

Users who have contributed to this file

61 lines (48 sloc) 1.71 KB
# Filter for Barracuda Web Filter/Web Security Gateway
# This filter file will do the initial parsing of the log
# See my github page here for more information: https://github.com/shthead/barracuda-WF-logstash
###### IMPORTANT ######
# Before using this filter, please ensure that you correct the host IP below.
filter {
# Set this to the IP of your Barracuda filter.
# This is set to only process the logs from the Barracuda filter and nothing else.
if [host] == "192.168.90.233" {
# Set the type field to "barracuda" - makes filtering easy.
mutate { replace => [ "type", "barracuda" ] }
# Match web interface audit logs
if [message] =~ "^<\d+>web" {
grok {
match => { "message" => "^<\d+>(?<syslog_program>\w+): \[\d+\.\d+\.\d+\.\d+\] %{GREEDYDATA:syslog_message}" }
}
}
# Match access logs
if [message] =~ "^<\d+>(http_scan|barracuda_pqman)" {
grok {
match => { "message" => "^<\d+>(?<syslog_program>\w+)\[(?<syslog_pid>\d+)\]: (?<syslog_timestamp>\d+) %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
# Fix up date
date {
match => [ "syslog_timestamp", "UNIX" ]
}
# Remove temp date field
mutate {
remove_field => [ "syslog_timestamp" ]
}
}
# Remove unused message fields
if [syslog_program] =~ "^\w+"{
if "_grokparsefailure" not in [tags] {
mutate {
replace => [ "message", "%{syslog_message}" ]
remove_field => [ "syslog_message" ]
}
}
}
# Optional - Do a reverse DNS lookup for the Barracuda's IP. You do not need this.
dns {
reverse => [ "host" ]
action => "replace"
}
}
}