-
Notifications
You must be signed in to change notification settings - Fork 1
/
05-syslog-parse_barracuda.conf
60 lines (48 loc) · 1.71 KB
/
05-syslog-parse_barracuda.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Filter for Barracuda Web Filter/Web Security Gateway
# This filter file will do the initial parsing of the log
# See my github page here for more information: https://github.com/shthead/barracuda-WF-logstash
###### IMPORTANT ######
# Before using this filter, please ensure that you correct the host IP below.
filter {
# Set this to the IP of your Barracuda filter.
# This is set to only process the logs from the Barracuda filter and nothing else.
if [host] == "192.168.90.233" {
# Set the type field to "barracuda" - makes filtering easy.
mutate { replace => [ "type", "barracuda" ] }
# Match web interface audit logs
if [message] =~ "^<\d+>web" {
grok {
match => { "message" => "^<\d+>(?<syslog_program>\w+): \[\d+\.\d+\.\d+\.\d+\] %{GREEDYDATA:syslog_message}" }
}
}
# Match access logs
if [message] =~ "^<\d+>(http_scan|barracuda_pqman)" {
grok {
match => { "message" => "^<\d+>(?<syslog_program>\w+)\[(?<syslog_pid>\d+)\]: (?<syslog_timestamp>\d+) %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
}
# Fix up date
date {
match => [ "syslog_timestamp", "UNIX" ]
}
# Remove temp date field
mutate {
remove_field => [ "syslog_timestamp" ]
}
}
# Remove unused message fields
if [syslog_program] =~ "^\w+"{
if "_grokparsefailure" not in [tags] {
mutate {
replace => [ "message", "%{syslog_message}" ]
remove_field => [ "syslog_message" ]
}
}
}
# Optional - Do a reverse DNS lookup for the Barracuda's IP. You do not need this.
dns {
reverse => [ "host" ]
action => "replace"
}
}
}