Posting this here if anyone wants to point their UTM logs to a remote logstash/elasticsearch instance. This is a working sample logstash.conf file.
I pointed my remote logging to my logstash server on port 5140. This works for all of the UTM log types that are key-value pairs. e.g. packetfilter, httpproxy, end point web protection, ips...
I don't see a way to attach a file here so will try to paste it in this box.
input {
tcp {
port => 5140
}
udp {
port => 5140
}
}
filter {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "syslog_timestamp", "yyyy:MM:dd-HH:mm:ss" ]
}
kv {
source => "syslog_message"
}
mutate {
replace => [ "type", "%{syslog_program}" ]
remove_field => [ "syslog_message", "syslog_timestamp" ]
}
if [type] == "httpproxy" {
grok { match => { "url" => "(?<protocol>https?)://%{IPORHOST:url_domain}/" } }
}
} # end of filter
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "utm-%{+YYYY.MM.dd}"
}
# stdout { codec => rubydebug }
}
This thread was automatically locked due to age.
