关于logstash:Logstash-Grok-解析防火墙日志

一、Logstash解析华为防火墙日志示例
1.防火墙日志：

"<190>Sep 18 2021 04:10:29 DJI-WL-FW-USG6620E-01 %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=17, source-ip=192.99.19.56, source-port=50585, destination-ip=192.9.2.87, destination-port=8456, time=2021/9/18 12:10:29, source-zone=Kaifa_CT_01, destination-zone=Internal, application-name=firewall, rule-name=rule_370.\u0000"

2.grok 解析语法

(?<time>%{MONTH}\s%{MONTHDAY}\s%{YEAR}\s%{TIME}) %{HOSTNAME:name} %%01POLICY/6/%{WORD:action}\(l\):vsys=%{WORD:vsys}, protocol=%{INT:protocol}, source-ip=%{IP:source_ip}, source-port=%{INT:source_port}, destination-ip=%{IP:destination_ip}, destination-port=%{INT:destination_port}, time=(?<session_time>%{YEAR}/%{MONTHNUM}/%{MONTHDAY}\s%{TIME}), source-zone=%{WORD:source_zone}, destination-zone=%{WORD:destinatione_zone}, (application-name=|application-name=%{WORD:application_name}), rule-name=%{WORD:rule_name}

3.解析后果

{  "vsys": "public",  "destination_port": "8456",  "rule_name": "rule_370",  "source_zone": "Kaifa_CT_01",  "session_time": "2021/9/18 12:10:29",  "source_ip": "192.99.19.56",  "protocol": "17",  "destination_ip": "192.9.2.87",  "destinatione_zone": "Internal",  "application_name": "firewall",  "source_port": "50585",  "name": "DJI-WL-FW-USG6620E-01",  "action": "POLICYPERMIT",  "time": "Sep 18 2021 04:10:29"}