In this blog, we are going to share some common grok patterns used in Logstash to parse logs from: Nginx (access log & error log with Naxsi), ufw.
Nginx
access.log
Example:
192.168.1.1 - - [30/Oct/2018:09:38:28 +0800] "GET /question?id=yyy HTTP/1.1" 200 808 "https://xxx.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15"
Grok rules:
%{IPORHOST:clientip} (?:-|(%{WORD}.%{WORD})) %{USER:ident} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "%{GREEDYDATA:referrer}" "%{GREEDYDATA:agent}"( "%{GREEDYDATA:forwarder}")?
error.log
Examples:
2018/10/30 16:35:19 [error] 39685#0: *117137 NAXSI_FMT: ip=192.168.1.1&server=api.xxx&uri=/material&learning=1&vers=0.56&total_processed=24687&total_blocked=198&block=1&cscore0=$SQL&score0=8&zone0=ARGS&id0=1015&var_name0=types, client: 192.168.1.1, server: api.xxx, request: "GET /material?key=&types=REGISTER HTTP/1.1", host: "api.xxx:1443", referrer: "http://192.168.1.204:12306/"
Grok rules:
(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}, client: %{IP:client}, server: %{GREEDYDATA:domain}, request: "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", host: "%{GREEDYDATA:host}", referrer: "%{GREEDYDATA:referrer}"
Naxsi
If you installed the Naxsi module of nginx as web application firewall, and want to parse error message into more detailed pieces, we need to Grok one more time:
Example:
117137 NAXSI_FMT: ip=192.168.1.1&server=api.xxx&uri=/material&learning=1&vers=0.56&total_processed=24687&total_blocked=198&block=1&cscore0=$SQL&score0=8&zone0=ARGS&id0=1015&var_name0=types
Rule is relative simple:
\*%{NUMBER} NAXSI_FMT: %{GREEDYDATA:param}
Then, we can use kv filter to parse param into more readable json like:
kv {
source => "param"
field_split => "&"
target => "param"
}
UFW
Example:
Oct 30 11:04:57 ubuntu-100 kernel: [11497227.995058] [UFW BLOCK] IN=docker0 OUT= PHYSIN=vethf628260 MAC=02:42:52:2d:ba:c5:02:42:ac:11:00:24:08:00 SRC=172.17.0.36 DST=192.168.1.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48748 DF PROTO=TCP SPT=42634 DPT=19998 WINDOW=237 RES=0x00 ACK FIN URGP=0
Grok rules to do pre-process:
%{SYSLOGTIMESTAMP:ufw_timestamp} %{SYSLOGHOST:ufw_hostname} %{DATA:ufw_program}(?:\[%{POSINT:ufw_pid}\])?: %{GREEDYDATA:ufw_message}
Then, parse ufw_message:
[11497227.995058] [UFW BLOCK] IN=docker0 OUT= PHYSIN=vethf628260 MAC=02:42:52:2d:ba:c5:02:42:ac:11:00:24:08:00 SRC=172.17.0.36 DST=192.168.1.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48748 DF PROTO=TCP SPT=42634 DPT=19998 WINDOW=237 RES=0x00 ACK FIN URGP=0
second step rules:
\[%{DATA}\] \[UFW %{WORD:ufw_action}\] IN=%{DATA:ufw_interface} OUT= (MAC|PHYSIN)=%{DATA:ufw_mac} SRC=%{IP:ufw_src_ip} DST=%{IP:ufw_dest_ip} %{GREEDYDATA:ufw_tcp_opts} PROTO=%{WORD:ufw_protocol} SPT=%{INT:ufw_src_port} DPT=%{INT:ufw_dst_port} %{GREEDYDATA:ufw_tcp_opts}
Grok Debugger
Tools & documentation to debug our own rules:
- http://{your_kibana_url}/app/kibana#/dev_tools/grokdebugger?_g=()
- online debugger
- supported regex
- grok internal patterns
- logstash common patterns
Written with StackEdit.
Thank you for sharing this informative post. Looking forward to reading more.
回复删除Best Web Design and Development Company