grok, parse iptables remote log

Question

I am new with grok and haven't work with grok before, but now, I need a help. I have remote log message from remote system which contains iptables rules.

May 11 09:37:05 zabbix kernel: [1607613.428683] FW_F_IN_DROP: IN=ens18 OUT= MAC=3a:e9:5f:c7:41:78:d0:07:ca:8c:10:01:08:00 SRC=104.16.55.12 DST=9.0.20.11 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=36679 PROTO=TCP SPT=58399 DPT=8427 WINDOW=1024 RES=0x00 SYN URGP=0

I found a rule: ((%{SYSLOGTIMESTAMP:nf_timestamp})\s*(%{HOSTNAME:nf_host})\s*kernel\S+\s*(%{WORD:nf_action})?.*IN=(%{USERNAME:nf_in_interface})?.*OUT=(%{USERNAME:nf_out_interface})?.*MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?.*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*))

I like this rule, but output of this rule doesn't contain a string from iptables: -j LOG --log-prefix "my log prefix" which in this case equal to: FW_F_IN_DROP

also, what is the best solution to parse: [1607613.428683], looks like this is a kernel pid, but included also point in the middle

Can someone help me to modify this rule to include also log prefix information.

Thank you.

Answer 1

You grab an additional word in your pattern with %{WORD:log_prefix}:

The modified filter would look like this:

((%{SYSLOGTIMESTAMP:nf_timestamp})\s*(%{HOSTNAME:nf_host})\s*kernel\S+\s*(%{WORD:nf_action})?.*%{WORD:log_prefix}: IN=(%{USERNAME:nf_in_interface})?.*OUT=(%{USERNAME:nf_out_interface})?.*MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?.*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*))

The parsing of your log will add the following field:

"log_prefix": "FW_F_IN_DROP"