Can Nagios Log Server handle Splunk formatted messages?

[prhunixadmin]

My Inputs:

Code: Select all

   udp {
        type => 'syslog-asm'
        port => 5444
    }
    tcp {
        type => 'syslog-asm'
        port => 5444

My filters:

Code: Select all

   if [type] == "syslog-asm" {
            grok {
              break_on_match => false
              match => [ "message", "\A%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} slot1\/%{HOSTNAME:logsource} %{LOGLEVEL:severity_label} %{SYSLOGPROG}: %{GREEDYDATA:info}" ]
              add_tag => "grokked_syslog_asm"
            }
            mutate {
                gsub => [
                    "severity_label", "err", "error",
                    "severity_label", "info", "informational",
                    "severity_label", "crit", "critical"
           ]
       }
    }
    if [program] == "ASM" {
                grok {
                  patterns_dir => "/usr/local/nagioslogserver/logstash/patterns"
                  match => [ "info", "%{F5SEQ:f5_sequence}: %{GREEDYDATA:info}violations: %{GREEDYDATA:f5_violations}. HTTP protocol compliance sub violations: %{GREEDYDATA:f5_http_violations}. Evasion techniques sub violations: %{GREEDYDATA:f5_evasion_violations}. Web services security sub violations: %{GREEDYDATA:f5_web_svc_violations}. Virus name: %{GREEDYDATA:f5_virusname}. Support id: %{GREEDYDATA:f5_supportid}, source ip: %{IPNA:f5_sourceip}, xff ip: %{IPNA:f5_xffip}, source port: %{NUMBER:f5_sourceport}, destination ip: %{IPNA:f5_destinationip}, destination port: %{NUMBER:f5_destinationport}, route_domain: %{NUMBER:f5_routedomain}, HTTP classifier: %{GREEDYDATA:f5_http_classifier}, scheme %{SCHEME:f5_scheme}, geographic location:%{GREEDYDATA:f5_geolocation}, request: %{GREEDYDATA:f5_request}, username:%{GREEDYDATA:f5_username}, session_id: %{GREEDYDATA:f5_sessionid}" ]
                  match => [ "info", "%{GREEDYDATA:info}" ]
                  remove_tag => "grokked_syslog_asm"
                  add_tag => "grokked_syslog_f5_asm"
                  overwrite => [ "info" ]
          }
     }
}

My output for the f5-asm messages that fail.

Code: Select all

output {
    if [type] == "syslog-f5" and "_grokparsefailure" in [tags] {
        file { path => "/var/log/failed_f5-asm_events-%{+YYYY-MM-dd}" }
    }

}

[jolson]

{"message":"default send string","@version":"1","@timestamp":"2015-08-26T14:13:17.682Z","type":"syslog-asm","host":"10.104.83.2","tags":["_grokparsefailure"]}
{"message":"default send string","@version":"1","@timestamp":"2015-08-26T14:13:19.519Z","type":"syslog-asm","host":"10.104.83.3","tags":["_grokparsefailure"]}
{"message":"default send string","@version":"1","@timestamp":"2015-08-26T14:13:22.686Z","type":"syslog-asm","host":"10.104.83.2","tags":["_grokparsefailure"]}
{"message":"default send string","@version":"1","@timestamp":"2015-08-26T14:13:24.524Z","type":"syslog-asm","host":"10.104.83.3","tags":["_grokparsefailure"]}

The question that we must ask is 'where is the grok pattern failing?'

I've set up a test cluster with your configuration, and I'm planning on giving it a run tomorrow morning. I'll let you know how it works out. Thanks!

[jolson]

Code: Select all

<130>Aug 26 10:17:18 wm-f5-rhwebprd2.us.randomhouse.com ASM:Type: Session Hijacking Date: 2015-08-26 10:17:17 Dest IP: 170.171.208.66 Dest Port: 80 Geo Location: AE Header: Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\\r\\nReferer: http://www.randomhousebooks.com/books/534635/\\r\\nAccept-Language: en-US,en-GB;q=0.7,en;q=0.3\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: www.randomhousebooks.com\\r\\nDNT: 1\\r\\nConnection: Keep-Alive\\r\\nCookie: TS01423b3a=01b1b2a32d6a8006219eee1744ef32dbc007671527beb9cf5659b6324af0dfb562360c053b; TS01423b3a_28=01b146369e20b087a61b68bf2d38bb1156d186c9421fd20e9217311fc4f1e7950bf06e3bcaf235dbb9e48d9e8e7022591e714db43c; TS01423b3a_77=2934_8f596c441223bd38_rsb_0_rs_http%3A%2F%2Fwww.randomhousebooks.com%2Fgenres%2Fscience-fiction-fantasy%2F_rs_1_rs_1; TS01423b3a=01b1b2a32d6a8006219eee1744ef32dbc007671527beb9cf5659b6324af0dfb562360c053b; TS01423b3a_28=01b146369ed68e553d0baaefb89c88b8094174a1e1992f8408dc6782ea9c7f59f6c887a932034d3687ae3df4c105f7b20b8f4233e0; utag_main=v_id:014f6a5d4a8f003dee78ab177cac010b000200a800808$_sn:1$_ss:0$_pn:4%3Bexp-session$_st:1440600431139$ses_id:1440598542991%3Bexp-session; pid=undefined; cdi=undefined; s_fid=1836773E4773CBD7-318CC3317958B434; s_cc=true; _ga=GA1.2.1952307927.1440598545; _gat=1; s_sq=%5B%5BB%5D%5D\\r\\nX-Forwarded-For: 86.97.104.82\\r\\n\\r\\n Client IP: 86.97.104.82 Plicty Name: /Common/RHWeb_Base_ASM_Policy Protocol: HTTP Query String: Reqeust: GET /wp-content/themes/wp_rhpg/static/img/icon/facebook--dark.svg HTTP/1.1\\r\\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\\r\\nReferer: http://www.randomhousebooks.com/books/534635/\\r\\nAccept-Language: en-US,en-GB;q=0.7,en;q=0.3\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: www.randomhousebooks.com\\r\\nDNT: 1\\r\\nConnection: Keep-Alive\\r\\nCookie: TS01423b3a=01b1b2a32d6a8006219eee1744ef32dbc007671527beb9cf5659b6324af0dfb562360c053b; TS01423b3a_28=01b146369e20b087a61b68bf2d38bb1156d186c9421fd20e9217311fc4f1e7950bf06e3bcaf235dbb9e48d9e8e7022591e714db43c; TS01423b3a_77=2934_8f596c441223bd38_rsb_0_rs_http%3A%2F%2Fwww.randomhousebooks.com%2Fgenres%2Fscience-fiction-fantasy%2F_rs_1_rs_1; TS01423b3a=01b1b2a32d6a8006219eee1744ef32dbc007671527beb9cf5659b6324af0dfb562360c053b; TS01423b3a_28=01b146369ed68e553d0baaefb89c88b8094174a1e1992f8408dc6782ea9c7f59f6c887a932034d3687ae3df4c105f7b20b8f4233e0; utag_main=v_id:014f6a5d4a8f003dee78ab177cac010b000200a800808$_sn:1$_ss:0$_pn:4%3Bexp-session$_st:1440600431139$ses_id:1440598542991%3Bexp-session; pid=undefined; cdi=undefined; s_fid=1836773E4773CBD7-318CC3317958B434; s_cc=true; _ga=GA1.2.1952307927.1440598545; _gat=1; s_sq=%5B%5BB%5D%5D\\r\\nX-Forwarded-For: 86.97.104.82\\r\\n\\r\\n Request Status: alerted Response: Connection Reset Response Code: 0 Severity: Critical Support ID: 1352865552536458708 URI: /wp-content/themes/wp_rhpg/static/img/icon/facebook--dark.svg Violaction: ASM Cookie Hijacking Violation Detail:

I could not get the above log to match the initial filter that you have presented:

Code: Select all

match => [ "message", "\A%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} slot1\/%{HOSTNAME:logsource} %{LOGLEVEL:severity_label} %{SYSLOGPROG}: %{GREEDYDATA:info}" ]

A very good tool for figuring this kind of thing out is the grok debugger: https://grokdebug.herokuapp.com/

Have you played around with the grok debugger at all? The above log looks substantially different than the filter that you're trying to run it through - the filter would need to be reworked quite a lot to handle the type of log mentioned above.

Am I missing something? Perhaps the actual format of the log is different? One way to approach this would be to grab the 'message' field from a log that is having parse failures and reporting it here.

I am under the impression that some of your f5 filters are working appropriately per Willems suggestions - is that impression correct?

I'm trying to understand where we're at here and how exactly we need to move forward. Is the log I posted at the beginning of this post a log that we need to develop a custom filter for?

[prhunixadmin]

I'm working with the F5 administrator. The data im receiving is raw data. I believe there is a way to configure the F5 to send High Speed Logging as a remote syslog format. I'll probably get that done on monday. Keeep your fingers crossed.

Thanks,

Greg

[hsmith]

I'm working with the F5 administrator. The data im receiving is raw data. I believe there is a way to configure the F5 to send High Speed Logging as a remote syslog format. I'll probably get that done on monday. Keeep your fingers crossed.

Thanks,

Greg

Let us know what happens.

Thanks!

[jolson]

This issue has been resolved via the following thread: https://support.nagios.com/forum/viewto ... 38&t=34459

I'll be closing this topic as requested.