Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Grok source IP from SonicWall log to GeoIP

https://support.nagios.com/forum/viewtopic.php?t=54854

Page 1 of 1

Grok source IP from SonicWall log to GeoIP

Posted: Tue Jul 23, 2019 3:18 am
by Koja
Hello,

I've recently started using NLS and I have added a SonicWall firewall as an input:

Code: Select all

syslog {
    type => 'syslog-sonicwall'
    port => 5544
}
The logs are coming through nicely, and I'm trying to parse the incoming messages. Spesifically, I'm interested in the source IP when a connection gets blocked. I already found a filter for Logstash and I modified it slightly:

Code: Select all

if [host] == '192.168.1.10' {

                kv {
                        exclude_keys => [ 'c', 'id', 'm', 'n', 'pri' ]
                }
                grok {
                        match => [ 'src', '%{IP:srcip}:%{DATA:srcinfo}' ]
                }
                grok {
                        match => [ 'dst', '%{IP:dstip}:%{DATA:dstinfo}' ]
                }
                grok {
                        remove_field => [ 'srcinfo', 'dstinfo' ]
                }
				
        geoip {
                source => 'srcip'
        }
}
However, I'm not getting anything on the geoip-filter and when I examine a single log, I can see that there are these as tags: _grokparsefailure_sysloginput,_geoip_lookup_failure

For additional information, this is what the incoming log messages look like when some connection is blocked:


Also, grok is not removing any of the things I've configured in the filter shown above.

Thanks for any help on this matter!

Re: Grok source IP from SonicWall log to GeoIP

Posted: Tue Jul 23, 2019 2:02 pm
by cdienger
_grokparsefailure_sysloginput means the data isn't coming in using the expected syslog format. Try adding a new input just for sonicwall logs and have the sonicwall send to this port instead of 5544:

Code: Select all

tcp {
    type => 'sonicwall'
    tags => 'sonicwall'
    port => 2099
}
_geoip_lookup_failure is due to the srcip field not being populated. This may be due to the logic at the top of the filter to only apply it to 192.168.1.10. Try removing this part of the filter and change it something like:

Code: Select all

    if [type] == 'sonicwall' {

                    kv {
                            exclude_keys => [ 'c', 'id', 'm', 'n', 'pri' ]
                    }
                    grok {
                            match => [ 'src', '%{IP:srcip}:%{DATA:srcinfo}' ]
                    }
                    grok {
                            match => [ 'dst', '%{IP:dstip}:%{DATA:dstinfo}' ]
                    }
                    grok {
                            remove_field => [ 'srcinfo', 'dstinfo' ]
                    }
                
            geoip {
                    source => 'srcip'
            }
    }

Re: Grok source IP from SonicWall log to GeoIP

Posted: Wed Jul 24, 2019 2:48 am
by Koja
Hello,

I did the configuration changes as requested (copied and pasted the code snippets) and applied the new configuration on NLS. But for some reason the SonicWall device stopped sending any log data.

Before I changed the configuration I made sure that NLS had port 2099 open on both TCP and UDP:

Image

Also, in the SonicWall's Syslog-settings I set the port you requested:

Image

Re: Grok source IP from SonicWall log to GeoIP

Posted: Wed Jul 24, 2019 11:31 am
by cdienger
Do you see data coming in on port 2099 when you run this on the command line of the NLS machine:

Code: Select all

yum -y install tcpdump
tcpdump -s 0 -i any -nnXX port 2099
?

I'd also like to get a copy of the current configuration to verify it. This can be gathered by going to Configure > Global Config, clicking View, and then selecting All Files Combined.

Re: Grok source IP from SonicWall log to GeoIP

Posted: Thu Jul 25, 2019 12:41 am
by Koja
Hello,

It seems that the SonicWall sends syslog data via UDP instead of TCP. I started getting data after changing from this:

Code: Select all

tcp {
        type => 'sonicwall'
        tags => 'sonicwall'
        port => 2099
    }
To this:

Code: Select all

udp {
        type => 'sonicwall'
        tags => 'sonicwall'
        port => 2099
    }
And yes, I was seeing data coming to NLS' port 2099 when using tcpdump. Then I changed the input type to UDP and I actually started seeing the data in my dashboard.

However, I can still see the following in the "tags" field when examining the log messages: _grokparsefailure_sysloginput

Here is my global configuration file, like you asked:

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Thu, 25 Jul 2019 08:33:53 +0300
#

#
# Global inputs
#

input {
    syslog {
        type => 'syslog'
        port => 5544
    }
    tcp {
        type => 'eventlog'
        port => 3515
        codec => json
    }
    tcp {
        type => 'import_raw'
        tags => 'import_raw'
        port => 2056
    }
    tcp {
        type => 'import_json'
        tags => 'import_json'
        port => 2057
        codec => json
    }
    syslog {
        type => 'syslog-esxi'
        port => 514
    }
    udp {
        type => 'sonicwall'
        tags => 'sonicwall'
        port => 2099
    }
}

#
# Local inputs
#



#
# Global filters
#

filter {
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z', 'MMM dd HH:mm:ss', 'ISO8601' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
     
    if [program] == 'apache_error' {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
    if [type] == '10.88.255.26' or [host] == '10.88.255.27' or [host] == '10.88.255.28' {    
        mutate {
            replace => { 'type' => 'syslog-esxi' }    
        }
    }
    if [type] == 'sonicwall' {
    
                        kv {
                                exclude_keys => [ 'c', 'id', 'm', 'n', 'pri' ]
                        }
                        grok {
                                match => [ 'src', '%{IP:srcip}:%{DATA:srcinfo}' ]
                        }
                        grok {
                                match => [ 'dst', '%{IP:dstip}:%{DATA:dstinfo}' ]
                        }
                        grok {
                                remove_field => [ 'srcinfo', 'dstinfo' ]
                        }
                   
                geoip {
                        source => 'srcip'
                }
    }
    if [program] == 'nagios_core' {
    	grok {
    		match => [ 'message', '\[%{NUMBER:epoch_timestamp}\] %{GREEDYDATA:message}' ]
    		overwrite => [ 'message' ]
    	}
    	if [message] =~ /^Warning:|Error:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /check\sof\shost|check\sfor\shost|host\scheckresult\sfor|Passive\scheck\sresult\swas\sreceived\sfor\shost/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\'%{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /service.*on\shost|Service\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_service}\' %{DATA} \'%{DATA:nagios_host}\'' ]
    		}
    	}
    	if [message] =~ /wproc:/ {
    		if [message] =~ /host=.*;\sservice=/ {
    			grok {
    				match => [ 'message', '%{DATA}host=%{DATA:nagios_host}; service=%{DATA:nagios_service};' ]
    			}
    		}
    		if [message] =~ /job.*return\scode/ {
    			grok {
    				match => [ 'message', '%{DATA}: %{DATA:nagios_job} job%{DATA} return code %{NUMBER:nagios_return_code}' ]
    			}
    		}
    	}
    	if [message] =~ /Return\scode\sof/ {
    		grok {
    			match => [ 'message', '%{DATA} %{NUMBER:nagios_return_code} %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /Host\s\'|results\sof\shost\s'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_host}\' %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /^HOST\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sALERT:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sHOST\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^CURRENT\sSERVICE\sSTATE:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /^HOST\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_host_output}' ]
    		}
    	}
    	if [message] =~ /^SERVICE\sNOTIFICATION:/ {
    		grok {
    			match => [ 'message', '%{DATA:nagios_severity_label}: %{DATA:nagios_contact};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_command};%{GREEDYDATA:nagios_service_output}' ]
    		}
    	}
    	if [message] =~ /DOWNTIME\sALERT:/ {
    		if [message] =~ /^HOST\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sDOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_downtime_state};' ]
    			}
    		}
    	}
    	if [message] =~ /FLAPPING\sALERT:/ {
    		if [message] =~ /^HOST\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		if [message] =~ /^SERVICE\sFLAPPING/ {
    			grok {
    				match => [ 'message', '%{DATA:nagios_alert}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_flapping_state};' ]
    			}
    		}
    		grok {
    			match => [ 'message', '%{DATA}\(%{NUMBER:nagios_flapping_value}%{DATA}%{NUMBER:nagios_flapping_threshold}' ]
    		}
    	}
    	if [message] =~ /HOST\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_host_status};%{DATA:nagios_host_state};%{NUMBER:nagios_host_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /SERVICE\sEVENT\sHANDLER:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_service_status};%{DATA:nagios_service_state};%{NUMBER:nagios_service_attempt};%{GREEDYDATA:nagios_command}' ]
    		}
    	}
    	if [message] =~ /contact\s\'|Contact\s\'/ {
    		grok {
    			match => [ 'message', '%{DATA} \'%{DATA:nagios_contact}\'' ]
    		}
    	}
    	if [message] =~ /^EXTERNAL\sCOMMAND:/ {
    		grok {
    			match => [ 'message', '%{DATA}: %{DATA:nagios_external_command};%{GREEDYDATA}' ]
    		}
    		if [message] =~ /DEL_ALL_HOST_COMMENTS|ABLE_ALL_NOTIFICATIONS_BEYOND_HOST|ABLE_HOST_AND_CHILD_NOTIFICATION|ABLE_HOST_CHECK|ABLE_HOST_EVENT_HANDLER|ABLE_HOST_FLAP_DETECTION|ABLE_HOST_SVC_CHECKS|ABLE_HOST_SVC_NOTIFICATIONS|ABLE_PASSIVE_HOST_CHECKS|REMOVE_HOST_ACKNOWLEDGEMENT|_OBSESSING_OVER_HOST/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_host}' ]
    			}
    		}
    		if [message] =~ /DEL_ALL_SVC_COMMENTS|ABLE_PASSIVE_SVC_CHECKS|ABLE_SVC_CHECK|ABLE_SVC_EVENT_HANDLER|ABLE_SVC_FLAP_DETECTION|ABLE_SVC_NOTIFICATIONS|REMOVE_SVC_ACKNOWLEDGEMENT|_OBSESSING_OVER_SVC/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_service}' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_HOST_CHECK|SCHEDULE_FORCED_HOST_SVC_CHECKS|SCHEDULE_HOST_CHECK|SCHEDULE_HOST_SVC_CHECKS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_FORCED_SVC_CHECK|SCHEDULE_SVC_CHECK/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_epoch_check_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_check_time', 'UNIX' ]
    				target => 'nagios_check_time'
    				remove_field => [ 'nagios_epoch_check_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_AND_PROPAGATE_HOST_DOWNTIME|SCHEDULE_AND_PROPAGATE_TRIGGERED_HOST_DOWNTIME|SCHEDULE_HOST_DOWNTIME|SCHEDULE_HOST_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_HOSTGROUP_HOST_DOWNTIME|SCHEDULE_HOSTGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_hostgroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SCHEDULE_SERVICEGROUP_HOST_DOWNTIME|SCHEDULE_SERVICEGROUP_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_servicegroup};%{NUMBER:nagios_epoch_start_time};%{NUMBER:nagios_epoch_end_time};%{INT:nagios_downtime_fixed};%{NUMBER:nagios_downtime_trigger_id};%{NUMBER:nagios_downtime_duration};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    			date {
    				match => ['nagios_epoch_start_time', 'UNIX' ]
    				target => 'nagios_downtime_start'
    				remove_field => [ 'nagios_epoch_start_time' ]
    			}
    			date {
    				match => ['nagios_epoch_end_time', 'UNIX' ]
    				target => 'nagios_downtime_end'
    				remove_field => [ 'nagios_epoch_end_time' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /SEND_CUSTOM_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_notification_options};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_HOST_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ADD_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_HOST_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /ACKNOWLEDGE_SVC_PROBLEM/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_sticky};%{INT:nagios_notify};%{INT:nagios_persistent};%{DATA:nagios_author};%{GREEDYDATA:nagios_comment}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_COMMENT|DEL_SVC_COMMENT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_comment_id}' ]
    			}
    		}
    		if [message] =~ /DEL_HOST_DOWNTIME|DEL_SVC_DOWNTIME/ {
    			grok {
    				match => [ 'message', '%{DATA};%{NUMBER:nagios_downtime_id}' ]
    			}
    		}
    		if [message] =~ /DELAY_HOST_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /DELAY_SVC_NOTIFICATION/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_epoch_notification_time}' ]
    			}
    			date {
    				match => ['nagios_epoch_notification_time', 'UNIX' ]
    				target => 'nagios_notification_time'
    				remove_field => [ 'nagios_epoch_notification_time' ]
    			}
    		}
    		if [message] =~ /ABLE_CONTACTGROUP_HOST_NOTIFICATIONS|ABLE_CONTACTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contactgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_CONTACT_HOST_NOTIFICATIONS|ABLE_CONTACT_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_contact}' ]
    			}
    		}
    		if [message] =~ /ABLE_HOSTGROUP_HOST_CHECKS|ABLE_HOSTGROUP_HOST_NOTIFICATIONS|ABLE_HOSTGROUP_PASSIVE_HOST_CHECKS|ABLE_HOSTGROUP_PASSIVE_SVC_CHECKS|ABLE_HOSTGROUP_SVC_CHECKS|ABLE_HOSTGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_hostgroup}' ]
    			}			
    		}
    		if [message] =~ /ABLE_SERVICEGROUP_HOST_CHECKS|ABLE_SERVICEGROUP_HOST_NOTIFICATIONS|ABLE_SERVICEGROUP_PASSIVE_HOST_CHECKS|ABLE_SERVICEGROUP_PASSIVE_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_CHECKS|ABLE_SERVICEGROUP_SVC_NOTIFICATIONS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_servicegroup}' ]
    			}			
    		}
    		if [message] =~ /PROCESS_FILE/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_process_file};%{GREEDYDATA:nagios_process_file_delete}' ]
    			}
    		}
    		if [message] =~ /PROCESS_HOST_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{INT:nagios_host_status_code};%{GREEDYDATA:nagios_host_output}' ]
    			}
    		}
    		if [message] =~ /PROCESS_SERVICE_CHECK_RESULT/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{INT:nagios_service_status_code};%{GREEDYDATA:nagios_service_output}' ]
    			}
    		}
    		if [message] =~ /SET_HOST_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /SET_SVC_NOTIFICATION_NUMBER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_notification_number}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_HOST_NOTIFICATION_TIMEPERIOD|CHANGE_CONTACT_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CONTACT_MOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_CONTACT_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_contact};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_HOST_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_CUSTOM_SVC_VAR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{DATA:nagios_variable_name};%{GREEDYDATA:nagios_variable_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_GLOBAL_HOST_EVENT_HANDLER|CHANGE_GLOBAL_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_COMMAND|CHANGE_HOST_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_COMMAND|CHANGE_SVC_EVENT_HANDLER/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_command}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_CHECK_TIMEPERIOD|CHANGE_HOST_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_CHECK_TIMEPERIOD|CHANGE_SVC_NOTIFICATION_TIMEPERIOD/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_timeperiod}' ]
    			}
    		}
    		if [message] =~ /CHANGE_HOST_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_SVC_MODATTR/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{GREEDYDATA:nagios_attribute_value}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_HOST_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_MAX_SVC_CHECK_ATTEMPTS/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_max_check_attempts}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_NORMAL_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_check_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_HOST_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    		if [message] =~ /CHANGE_RETRY_SVC_CHECK_INTERVAL/ {
    			grok {
    				match => [ 'message', '%{DATA};%{DATA:nagios_host};%{DATA:nagios_service};%{NUMBER:nagios_retry_interval}' ]
    			}
    		}
    	}
    	if [message] =~ /External\scommand\sfailed/ {
    		grok {
    			match => [ 'message', '%{DATA}-> %{DATA:nagios_external_command};' ]
    		}
    	}
    	if [message] =~ /Nagios.*starting/ {
    		grok {
    			match => [ 'message', '%{DATA} (?<nagios_version>%{INT}\.%{INT}\.%{INT}) %{GREEDYDATA}' ]
    		}
    	}
    	if [message] =~ /timed\sout\safter/ {
    		grok {
    			match => [ 'message', '%{DATA} timed out after %{NUMBER:nagios_timeout}s' ]
    		}
    	}
    	mutate {
    		replace => [ 'type', 'nagios_core' ]
    	}
    	date {
    		match => ['epoch_timestamp', 'UNIX' ]
    	}
    }
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#
EDIT: It must've taken some time for the changes to take effect, because now when I'm looking at the dashboard it's working! I can see all of the different geoip tags and the fields in the log messages are populated correctly. Thank you very much!

Re: Grok source IP from SonicWall log to GeoIP

Posted: Thu Jul 25, 2019 6:47 am
by scottwilkerson
Koja wrote:EDIT: It must've taken some time for the changes to take effect, because now when I'm looking at the dashboard it's working! I can see all of the different geoip tags and the fields in the log messages are populated correctly. Thank you very much!
Great!

Locking thread
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited