forked from breakandinspect/graylog
-
Notifications
You must be signed in to change notification settings - Fork 0
/
GRAYLOG_SymantecSSLV-v3x_Extractors.json
75 lines (75 loc) · 2.43 KB
/
GRAYLOG_SymantecSSLV-v3x_Extractors.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
"extractors": [
{
"title": "SSLV-[dhclient]",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command}: %{DATA:object}, interval %{BASE10NUM:rate}ms."
},
"condition_type": "string",
"condition_value": "dhclient"
},
{
"title": "SSLV-[sslcontrol]",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:object}"
},
"condition_type": "string",
"condition_value": "sslcontrol"
},
{
"title": "SSLV-[sslmanage]",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:object}"
},
"condition_type": "string",
"condition_value": "sslmanage"
},
{
"title": "SSLV-[syslog-ng]",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:session}\\]: %{GREEDYDATA:object}"
},
"condition_type": "string",
"condition_value": "syslog-ng"
},
{
"title": "SSLV-[ssldata]",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:processId}\\]: \\[%{DATA:ssl_segmentId}\\] %{DATA:session} %{IPV4:sip}:%{DATA:sport} -> %{IPV4:dip}:%{DATA:dport} %{DATA:ssl_type} %{DATA:ssl_cypher} %{DATA:URL} %{DATA:ssl_unknown} cert fp: %{DATA:ssl_certificate} rule:%{BASE10NUM:ssl_ruleId} %{DATA:command} %{DATA:ssl_status}"
},
"condition_type": "string",
"condition_value": "ssldata"
}
],
"version": "2.2.0-SNAPSHOT"
}