This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Remote logging to Logstash/Elasticsearch ELK

Posting this here if anyone wants to point their UTM logs to a remote logstash/elasticsearch instance.  This is a working sample logstash.conf file.

I pointed my remote logging to my logstash server on port 5140.  This works for all of the UTM log types that are key-value pairs.  e.g.  packetfilter, httpproxy, end point web protection, ips...

I don't see a way to attach a file here so will try to paste it in this box.

input {
  tcp {
    port => 5140
  }
  udp {
    port => 5140
  }
}

filter {
 grok {
  match => { "message" => "<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}" }
 }
 date {
  match => [ "syslog_timestamp", "yyyy:MM:dd-HH:mm:ss" ]
 }
 kv {
  source => "syslog_message"
 }
 mutate {
  replace => [ "type", "%{syslog_program}" ]
  remove_field  => [ "syslog_message", "syslog_timestamp" ]
 }

 if [type] == "httpproxy" {
  grok { match => { "url" => "(?<protocol>https?)://%{IPORHOST:url_domain}/" } }

 }

  
} # end of filter

output {

 elasticsearch {
  hosts => ["localhost:9200"]
  index => "utm-%{+YYYY.MM.dd}"

 }

# stdout { codec => rubydebug }
}



This thread was automatically locked due to age.