共计 1224 个字符,预计需要花费 4 分钟才能阅读完成。
一、Logstash 解析华为防火墙日志示例
1. 防火墙日志:
"<190>Sep 18 2021 04:10:29 DJI-WL-FW-USG6620E-01 %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=17, source-ip=192.99.19.56, source-port=50585, destination-ip=192.9.2.87, destination-port=8456, time=2021/9/18 12:10:29, source-zone=Kaifa_CT_01, destination-zone=Internal, application-name=firewall, rule-name=rule_370.\u0000"2.grok 解析语法
(?<time>%{MONTH}\s%{MONTHDAY}\s%{YEAR}\s%{TIME}) %{HOSTNAME:name} %%01POLICY/6/%{WORD:action}\(l\):vsys=%{WORD:vsys}, protocol=%{INT:protocol}, source-ip=%{IP:source_ip}, source-port=%{INT:source_port}, destination-ip=%{IP:destination_ip}, destination-port=%{INT:destination_port}, time=(?<session_time>%{YEAR}/%{MONTHNUM}/%{MONTHDAY}\s%{TIME}), source-zone=%{WORD:source_zone}, destination-zone=%{WORD:destinatione_zone}, (application-name=|application-name=%{WORD:application_name}), rule-name=%{WORD:rule_name}3. 解析后果
{
"vsys": "public",
"destination_port": "8456",
"rule_name": "rule_370",
"source_zone": "Kaifa_CT_01",
"session_time": "2021/9/18 12:10:29",
"source_ip": "192.99.19.56",
"protocol": "17",
"destination_ip": "192.9.2.87",
"destinatione_zone": "Internal",
"application_name": "firewall",
"source_port": "50585",
"name": "DJI-WL-FW-USG6620E-01",
"action": "POLICYPERMIT",
"time": "Sep 18 2021 04:10:29"
}正文完