forked from breakandinspect/graylog
-
Notifications
You must be signed in to change notification settings - Fork 0
/
GRAYLOG_Untangle-v12_Extractors.json
134 lines (134 loc) · 9.46 KB
/
GRAYLOG_Untangle-v12_Extractors.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
{
"extractors": [
{
"title": "com.untangle.node.application_control_lite.ApplicationControlLiteEvent",
"extractor_type": "grok",
"converters": [],
"order": 5,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"protocol\\\":%{DATA:protocol},\\\"blocked\\\":%{DATA:blocked},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\""
},
"condition_type": "string",
"condition_value": "com.untangle.node.application_control_lite.ApplicationControlLiteEvent"
},
{
"title": "com.untangle.uvm.node.SessionMinuteEvent",
"extractor_type": "grok",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"c2sBytes\\\":%{BASE10NUM:bytesIn},\\\"sessionId\\\":%{BASE10NUM:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"s2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.node.SessionMinuteEvent"
},
{
"title": "com.untangle.node.intrusion_prevention.IntrusionPreventionLogEvent",
"extractor_type": "grok",
"converters": [],
"order": 4,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"msg\\\":\\\"%{DATA:ids_rule}\\\",\\\"ipDestination\\\":\\\"/%{IPV4:dip}\\\",\\\"classtype\\\":\\\"%{DATA:ids_classtype}\\\",\\\"signatureId\\\":%{BASE10NUM:ids_signatureId},\\\"sportItype\\\":%{BASE10NUM:sport},\\\"mplsLabel\\\":%{BASE10NUM:mplsLabel},\\\"eventMicrosecond\\\":%{BASE10NUM:microsecond},\\\"sensorId\\\":%{BASE10NUM:sensorId},\\\"priorityId\\\":%{BASE10NUM:priority},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\",\\\"generatorId\\\":%{BASE10NUM:ruleId},\\\"protocol\\\":%{BASE10NUM:protocol},\\\"blocked\\\":%{BASE10NUM:blocked},\\\"signatureRevision\\\":%{BASE10NUM:ids_signature},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"dportIcode\\\":%{BASE10NUM:dport},\\\"eventId\\\":%{BASE10NUM:eventId},\\\"padding\\\":%{BASE10NUM:padding},\\\"impactFlag\\\":%{BASE10NUM:ids_impactflag},\\\"vlanId\\\":%{BASE10NUM:vlanId},\\\"eventSecond\\\":%{BASE10NUM:seconds},\\\"impact\\\":%{BASE10NUM:ids_impact},\\\"ipSource\\\":\\\"/%{IPV4:sip}\\\",\\\"eventType\\\":%{DATA:ids_eventType},\\\"classificationId\\\":%{BASE10NUM:ids_classificationId},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"category\\\":\\\"%{DATA:ids_category}\\\""
},
"condition_type": "string",
"condition_value": "com.untangle.node.intrusion_prevention.IntrusionPreventionLogEvent"
},
{
"title": "com.untangle.uvm.node.SessionNatEvent",
"extractor_type": "grok",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"SClientPort\\\":%{BASE10NUM:sport},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"SClientAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\""
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.node.SessionNatEvent"
},
{
"title": "com.untangle.node.firewall.FirewallEvent",
"extractor_type": "grok",
"converters": [],
"order": 6,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"flagged\\\":%{DATA:flagged},\\\"blocked\\\":%{DATA:blocked},\\\"sessionId\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"ruleId\\\":%{BASE10NUM:ruleId},\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\""
},
"condition_type": "string",
"condition_value": "com.untangle.node.firewall.FirewallEvent"
},
{
"title": "com.untangle.uvm.logging.InterfaceStatEvent",
"extractor_type": "grok",
"converters": [],
"order": 8,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.logging.InterfaceStatEvent"
},
{
"title": "com.untangle.node.http.HttpRequestEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"contentLength\\\":%{BASE10NUM:bytesIn},\\\"requestLine\\\":\\\"%{DATA:URL}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"contentType\\\":\\\"%{DATA:contentType}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"httpRequestEvent\\\":\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{HOSTNAME:hostname}\\\",\\\"contentLength\\\":%{BASE10NUM:bytesOut},\\\"requestUri\\\":\\\"%{DATA:requestUri}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:entitled},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable},\\\"protocol\\\":%{BASE10NUM:protocol},\\\"hostname\\\":\\\"",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "com.untangle.node.http.HttpRequestEvent"
},
{
"title": "com.untangle.uvm.node.SessionStatsEvent",
"extractor_type": "grok",
"converters": [],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2sBytes\":%{BASE10NUM:bytesOut},\\\"endTime\\\":%{BASE10NUM:sessionTime},\\\"sessionId\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.node.SessionStatsEvent"
},
{
"title": "com.untangle.uvm.node.SessionEvent",
"extractor_type": "grok",
"converters": [],
"order": 7,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"entitled\\\":%{DATA:entitled},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\",\\\"protocol\\\":%{BASE10NUM:protocol},\\\"hostname\\\":\\\"%{HOSTNAME:hostname}\\\",\\\"CServerPort\\\":%{BASE10NUM:dport},\\\"protocolName\\\":%{DATA:protocol},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:dinterface},\\\"CClientAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:dst_country}\\\",\\\"sessionId\\\":%{BASE10NUM:session},\\\"SClientAddr\\\":\\\"/%{IPV4:sip}\",\\\"clientCountry\\\":\\\"%{DATA:src_country}\\\",\\\"CClientPort\\\":%{BASE10NUM:sport},\\\"policyRuleId\\\":%{BASE10NUM:ruleId},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:sinterface},\\\"policyId\\\":%{BASE10NUM:policyId},\\\"SClientPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:bypassed},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"CServerAddr\\\":\\\"/%{IPV4:sip}\\\"}",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.node.SessionEvent"
}
],
"version": "2.2.0-SNAPSHOT"
}