fortigate ELK


#
# Configure syslog filtering
# for the Fortigate firewall logs
#
filter {
mutate {
add_tag => ["fortigate"]
add_field => [ "zabbix_host", "fw.hq.aoe.lan" ]
}
grok {
match => ["message", "%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"]
overwrite => [ "message" ]
tag_on_failure => [ "failure_grok_fortigate" ]
}

kv { }

if [msg] {
mutate {
replace => [ "message", "%{msg}" ]
}
}

mutate {
add_field => ["logTimestamp", "%{date} %{time}"]
add_field => ["loglevel", "%{level}"]
replace => [ "fortigate_type", "%{type}"]
replace => [ "fortigate_subtype", "%{subtype}"]
remove_field => [ "msg", "type", "level", "date", "time" ]
}
date {
locale => "en"
match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
add_field => ["type", "syslog"]
}
}

https://gist.github.com/tolleiv/bf96d3971b661e265868

Залишити відповідь

Ваша e-mail адреса не оприлюднюватиметься. Обов’язкові поля позначені *