Skip to content

Example: Syslog MicroTik

Jump to bottom
Lorenzo Mangani edited this page Mar 20, 2017 · 3 revisions

MicroTik Syslog

Basic parser for MicroTik firewall logs using the integrated pattern:

input {
  udp {
    host => 0.0.0.0
    port => 1514
    type => "mikrotik"
  }
}

filter {

  if [type] == "mikrotik" {
    grok  {
           extra_patterns_file => 'lib/patterns/grok/microtik'
	   match => "%{MIKROTIKFWALL}"
    	 #  match        => ["%{SYSLOGHOST:logsource} %{DATA:action}: in:%{DATA:in}(%{DATA:in_if}) out:%{DATA:out}(%{GREEDYDATA:in_if}), src-mac %{MAC:srcmac}, proto %{GREEDYDATA:tcptype}, %{IP:srcip}:%{POSINT:srcport}->%{IP:dstip}:%{POSINT:dstport}, len %{NUMBER:len}"]
           add_tags	 => "microtik"
    	   add_field => { "parsed" => "true" }
    }
  }

  if "_grokparsefailure" in [tags] { 
    grok  {
	   match => "%{MIKROTIKFWNOP}"
    	#   match        => ["%{SYSLOGHOST:logsource} %{DATA:action}: in:%{DATA:in}(%{DATA:in_if}) out:%{DATA:out}(%{GREEDYDATA:in_if}), src-mac %{MAC:srcmac}, proto %{DATA:tcptype}(%{GREEDYDATA:proto_ext}), %{IP:srcip}->%{IP:dstip}, len %{NUMBER:len}"]
           remove_tags	 => "_grokparsefailure"
           add_tags	 => "microtik"
    	   add_field => { "parsed" => "true" }
    }
  }

  geoip { 
    field => srcip
  }
  geoip { 
    field => dstip 
  }

}



output {
  if [parsed] == "true" { 
      elasticsearch {
            host => 127.0.0.1
            port => 9200
            bulk_limit => 1000
            bulk_timeout => 100
            index_prefix => microtik
            data_type => firewall
            basic_auth_user => admin
            basic_auth_password => password
      }

  } else {
     # Debug Unparsed
     stdout {}
  }

}

ES Mapping

{
  "template" : "microtik*",
  "settings" : {
    "index.refresh_interval" : "15s",
    "number_of_shards" : 1,
    "number_of_replicas" : 0
  },
  "mappings" : {
    "_default_" : {
       "_all" : {"enabled" : true, "omit_norms" : true},
       "dynamic_templates" : [ 
       {
          "geo_fields" : {
            "mapping": {
              "type": "geo_point"
            },
            "match" : "*_lonlat"
          }
       }, {
          "ip_fields" : {
            "mapping" : {
              "type" : "ip"
            },
	    "match_pattern": "regex",
            "match" : "srcip|dstip"
          }
        }, {
          "string_fields" : {
               "match" : "*",
               "match_mapping_type" : "string",
               "mapping" : {
                 "type" : "string", "index" : "analyzed", "omit_norms" : true,
                   "fields" : {
                     "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
                   }
               }
             }
       } ],       
	 "properties" : {
		 "@version": { "type": "string", "index": "not_analyzed" }
       }
    }
  }
}
PaStash
Distribution
Logging
Examples
HEP+VoIP Examples
Clone this wiki locally