# logstash filter # This entire file is used to create filters in Nagios Log Server, simply copy & paste it into a new filter. # Alternatively, it can be used for debugging, when wrapped between 'filter {}' section. # netfilter logs are always from kernel facility and match the basic pattern of IN= OUT= if [program] == 'kernel' and [message] =~ /IN=.*OUT=/ { ######################################################################################################### # Universal section to extract fields from netfilter messages # Separate netfilter message from some common headers, such as SFW2-INext-ACC, or similar: grok { match => { "message" => [ "\A%{DATA:header}(?IN=.*?)( OPT \((?[0-9A-F]+)\))?\z" ] } overwrite => [ "message" ] } # Extract timestamp field, if it's present in our header, eg: [19333126.907670]: grok { match => { "header" => [ "((?\[[0-9]+\.[0-9]+\]) )?%{DATA:header}" ] } overwrite => [ "header" ] } # Extract what we'd consider an 'action' for netfilter, typically ACCEPT, DROP and so on. # They vary slightly between shorewall, SUSE Firewall, and generic recipes for netfilter. grok { match => { "header" => [ "Shorewall:%{WORD:nf_SHOREWALL_TAG}:%{WORD:nf_ACTION}:", "%{WORD:nf_ACTION}(\[%{HOSTNAME:nf_ZONE}\])? " ] } remove_field => [ "header" ] } ## Process through kv (key=value) filter and add 'nf_' prefix to each discovered field kv { prefix => "nf_" exclude_keys => [ "OUT" ] } # ######################################################################################################### ## Optional checks: extract local data ## Use logstash-filter-cidr to match network ranges. Install plugin by running: ## /usr/local/nagioslogserver/logstash/bin/plugin install logstash-filter-cidr ## check source of packets and see if they belong to mynet1 cidr { add_tag => [ "nf_SRC_mynet1" ] address => [ "%{nf_SRC}" ] network => [ "192.168.0.0/16", "10.0.0.0/8", "fe80::/64" ] } ## check source of packets and see if they belong to mynet2 cidr { add_tag => [ "nf_SRC_mynet2" ] address => [ "%{nf_SRC}" ] network => [ "172.16.0.0/12" ] } ## Perform geoip lookups on the source address. ## For this function to work, you must install logstash-filter-geoip (available in default Nagios Log Server). geoip { ## By default logstash uses geolite database from 2013, which is a bit dated. ## We can point to a different database, for example the system one, provided by: ## CentOS 6.x: yum install GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra ## CentOS 7.x: yum install GeoIP GeoIP-update ## uncomment to use: # database => "/usr/share/GeoIP/GeoLiteCity.dat" # Look up address extracted from nf_SRC: source => 'nf_SRC' } # Change log type to netfilter_log, so we can easily distinguish them later and use in our dashboards: mutate { replace => [ 'type', 'netfilter_log' ] } }