├── GRAYLOG_CISCO-3725_Extractors.json ├── GRAYLOG_EXTRACTOR_FIELDS.txt ├── GRAYLOG_Infoblox_Extractors.json ├── GRAYLOG_LogRhythm_Extractors.json ├── GRAYLOG_SymantecSSLV-v3x_Extractors.json ├── GRAYLOG_Ubiquiti_Extractors.json ├── GRAYLOG_Untangle-v12_Extractors.json ├── GRAYLOG_Untangle-v13_Extractors.json ├── GRAYLOG_VMware_ESX_Extractors.json ├── GRAYLOG_hMailServer_Extractors.json ├── GRAYLOG_pfSense_Extractors.json ├── LICENSE.txt ├── README.md └── gl_threatfeeds.sh /GRAYLOG_CISCO-3725_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "CISCO ios-X IPACCESSLOGP", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "\\%SEC-6-%{DATA:process}: %{GREEDYDATA:object} %{DATA:protocol} %{IPV4:sip}\\(%{DATA:sport}\\) -> %{IPV4:dip}\\(%{DATA:dport}\\), %{DATA:size} packet" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "IPACCESSLOGP" 16 | }, 17 | { 18 | "title": "CISCO ios-X LINEPROTO", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "\\%%{DATA:process}-%{DATA:sinterface}-%{DATA:command}: %{GREEDYDATA:object}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "LINEPROTO" 30 | }, 31 | { 32 | "title": "CISCO ios-X IPS-x-SIGNATURE", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "\\%%{DATA:process}: %{GREEDYDATA:object} \\[%{IPV4:sip}:%{DATA:sport} -> %{IPV4:dip}:%{DATA:dport}\\]" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "IPS" 44 | }, 45 | { 46 | "title": "CISCO ios-X IPACCESSLOGRL", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "\\%SEC-6-%{DATA:process}: %{GREEDYDATA:object}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "IPACCESSLOGRL" 58 | } 59 | ], 60 | "version": "2.3.1" 61 | } -------------------------------------------------------------------------------- /GRAYLOG_EXTRACTOR_FIELDS.txt: -------------------------------------------------------------------------------- 1 | List of Parsing Fields and Tags Used in Extractors 2 | 3 | SIP Source IP (v4/6) 4 | SNATIP Source Nat IP (v4/6) 5 | DIP Destination IP (v4/6) 6 | DNATIP Destination Nat IP (v4/6) 7 | SPORT Source Port 8 | SNATPORT Source Nat Port 9 | DPORT Destination Port 10 | DNATPORT Destination Nat Port 11 | SMAC Source MAC Address 12 | DMAC Destination MAC Address 13 | SINTERFACE Source Interface 14 | DINTERFACE Destination Interface 15 | PROTOCOL Protocol 16 | PROTNUM Protocol Number/ID 17 | PROTNAME Protocol Name 18 | LOGIN User associated with activity 19 | ACCOUNT User account impacted by activity 20 | GROUP Group/Role 21 | DOMAIN Windows/DNS Domain 22 | OBJECT Resource (file, etc) 23 | URL Referenced URL 24 | VMID Vendor Message ID 25 | SENDER Email SENDER 26 | RECIPIENT Email Recipient 27 | SUBJECT Email SUBJECT 28 | SESSION User, System, Application Session 29 | PROCESS System of Application Process 30 | SEVERITY Logging Level 31 | VERSION Software/Hardware VERSION 32 | COMMAND Command, Script, etc Executed 33 | BYTESIN Bytes Inbound 34 | BYTESOUT Bytes Outbound 35 | DURATION Duration of a Session, Job, Activity, etc 36 | SIZE The Size of Something 37 | QUANTITY The Quantity of Something 38 | AMOUNT The Amount of Something 39 | RATE The Rate/Interval of Something 40 | LOGSTAMP FreeForm Timestamp Field found in Message 41 | DIRECTION Some FWs include directionality of Data (inbound, outbound, etc) 42 | JUNK Junk Information / Not Necessary Information 43 | PAYLOAD Used for Truncated Messages - capture remaining data in 1 field 44 | POLICY Policy ID# 45 | POLICYRULE Policy Rule or Policy Rule ID# 46 | -------------------------------------------------------------------------------- /GRAYLOG_Infoblox_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "Infoblox (kernel) Process", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}: : \\[%{DATA:session}\\] %{GREEDYDATA:object}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "kernel:" 16 | }, 17 | { 18 | "title": "Infoblox (debug_mount) Process", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}: %{GREEDYDATA:object}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "debug_mount:" 30 | }, 31 | { 32 | "title": "Infoblox (named:recursion) Process", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}\\[%{BASE10NUM:session}\\]: %{GREEDYDATA:object}" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "Recursion" 44 | }, 45 | { 46 | "title": "Infoblox (named) Process", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}\\[%{BASE10NUM:session}\\]: client %{IPV4:dip}#%{BASE10NUM:sport} \\(%{DATA:URL}\\): query: %{GREEDYDATA:object}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "named[" 58 | }, 59 | { 60 | "title": "Infoblox Reporter", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}: %{GREEDYDATA:logstamp} \\[%{DATA:objectname}\\]: %{GREEDYDATA:object}" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "$SPLUNK-REPORTING-ADMIN$" 72 | }, 73 | { 74 | "title": "Infoblox (python) Process", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "", 81 | "extractor_config": { 82 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}: %{GREEDYDATA:object}" 83 | }, 84 | "condition_type": "string", 85 | "condition_value": "python:" 86 | }, 87 | { 88 | "title": "Infoblox (named:zone) Process", 89 | "extractor_type": "grok", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "", 95 | "extractor_config": { 96 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:sip} %{DATA:process}\\[%{DATA:session}\\]: zone %{DATA:URL}/IN: %{GREEDYDATA:object}" 97 | }, 98 | "condition_type": "string", 99 | "condition_value": "zone" 100 | }, 101 | { 102 | "title": "Infoblox (named:dhcp_update) Process", 103 | "extractor_type": "grok", 104 | "converters": [], 105 | "order": 0, 106 | "cursor_strategy": "copy", 107 | "source_field": "message", 108 | "target_field": "", 109 | "extractor_config": { 110 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: client %{IPV4:sip}#%{BASE10NUM:sport}/key %{GREEDYDATA:object} " 111 | }, 112 | "condition_type": "string", 113 | "condition_value": "dhcp_updater_default" 114 | }, 115 | { 116 | "title": "Infoblox (named:zone_transfer) Process", 117 | "extractor_type": "grok", 118 | "converters": [], 119 | "order": 0, 120 | "cursor_strategy": "copy", 121 | "source_field": "message", 122 | "target_field": "", 123 | "extractor_config": { 124 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: transfer of \\'%{DATA:URL}/IN\\' from %{IPV4:sip}#%{BASE10NUM:sport}: %{GREEDYDATA:object}" 125 | }, 126 | "condition_type": "string", 127 | "condition_value": "transfer of" 128 | }, 129 | { 130 | "title": "Infoblox (named:zone_reload) Process", 131 | "extractor_type": "grok", 132 | "converters": [], 133 | "order": 0, 134 | "cursor_strategy": "copy", 135 | "source_field": "message", 136 | "target_field": "", 137 | "extractor_config": { 138 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: \\(re\\)loading policy zone \\'%{DATA:URL}\\' %{GREEDYDATA:object}" 139 | }, 140 | "condition_type": "string", 141 | "condition_value": "(re)loading" 142 | }, 143 | { 144 | "title": "Infoblox (zone:AXFR) Process", 145 | "extractor_type": "grok", 146 | "converters": [], 147 | "order": 0, 148 | "cursor_strategy": "copy", 149 | "source_field": "message", 150 | "target_field": "", 151 | "extractor_config": { 152 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: client %{IPV4:sip}#%{BASE10NUM:sport} \\(%{DATA:URL}\\): transfer of \\'%{DATA:URL}/IN\\': %{GREEDYDATA:object}" 153 | }, 154 | "condition_type": "string", 155 | "condition_value": "AXFR" 156 | }, 157 | { 158 | "title": "Infoblox (named:zone_notify) Process", 159 | "extractor_type": "grok", 160 | "converters": [], 161 | "order": 0, 162 | "cursor_strategy": "copy", 163 | "source_field": "message", 164 | "target_field": "", 165 | "extractor_config": { 166 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: client %{IPV4:sip}#%{BASE10NUM:sport}: received notify for zone \\'%{DATA:URL}\\'" 167 | }, 168 | "condition_type": "string", 169 | "condition_value": "received notify for zone" 170 | }, 171 | { 172 | "title": "Infoblox (RPZ:QNAME) Process", 173 | "extractor_type": "grok", 174 | "converters": [], 175 | "order": 0, 176 | "cursor_strategy": "copy", 177 | "source_field": "message", 178 | "target_field": "", 179 | "extractor_config": { 180 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}\\[%{DATA:session}\\]: %{GREEDYDATA:objectname} dst=%{IPV4:dip} src=%{IPV4:sip} spt=%{DATA:sport} view=%{DATA:group} qtype=%{DATA:protname} msg=\\\"%{GREEDYDATA:object}\\\"" 181 | }, 182 | "condition_type": "string", 183 | "condition_value": "RPZ-QNAME" 184 | }, 185 | { 186 | "title": "Infoblox (Analytics:DNS_Tunneling) Process", 187 | "extractor_type": "grok", 188 | "converters": [], 189 | "order": 0, 190 | "cursor_strategy": "copy", 191 | "source_field": "message", 192 | "target_field": "", 193 | "extractor_config": { 194 | "grok_pattern": "%{HOSTNAME:sname} %{IPV4:dip} %{DATA:process}: DNS Tunneling detected: Domain name %{DATA:URL} has been detected with tunneling activity. The analytics classification was triggered by %{BASE10NUM:rate} queries from client IP: %{IPV4:sip} to domain %{DATA:domain}. %{GREEDYDATA:object}" 195 | }, 196 | "condition_type": "string", 197 | "condition_value": "DNS Tunneling" 198 | } 199 | ], 200 | "version": "2.3.1" 201 | } 202 | -------------------------------------------------------------------------------- /GRAYLOG_LogRhythm_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "LogRhythm Network Monitor", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: EVT:%{DATA:vmid} %{DATA:logstamp} %{GREEDYDATA:object}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "LogRhythmDpi:" 16 | } 17 | ], 18 | "version": "2.2.0-SNAPSHOT" 19 | } -------------------------------------------------------------------------------- /GRAYLOG_SymantecSSLV-v3x_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "SSLV-[dhclient]", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command}: %{DATA:object}, interval %{BASE10NUM:rate}ms." 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "dhclient" 16 | }, 17 | { 18 | "title": "SSLV-[sslcontrol]", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:object}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "sslcontrol" 30 | }, 31 | { 32 | "title": "SSLV-[sslmanage]", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:object}" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "sslmanage" 44 | }, 45 | { 46 | "title": "SSLV-[syslog-ng]", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:session}\\]: %{GREEDYDATA:object}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "syslog-ng" 58 | }, 59 | { 60 | "title": "SSLV-[ssldata]", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:processId}\\]: \\[%{DATA:ssl_segmentId}\\] %{DATA:session} %{IPV4:sip}:%{DATA:sport} -> %{IPV4:dip}:%{DATA:dport} %{DATA:ssl_type} %{DATA:ssl_cypher} %{DATA:URL} %{DATA:ssl_unknown} cert fp: %{DATA:ssl_certificate} rule:%{BASE10NUM:ssl_ruleId} %{DATA:command} %{DATA:ssl_status}" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "ssldata" 72 | } 73 | ], 74 | "version": "2.2.0-SNAPSHOT" 75 | } -------------------------------------------------------------------------------- /GRAYLOG_Ubiquiti_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "Ubiquiti (Unifi) Command Event", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:account} : TTY=%{DATA:duration} ; PWD=%{DATA:object} ; USER=%{DATA:login} ; COMMAND=%{GREEDYDATA:command}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "CHANGE-ME-UBIQUITI" 16 | }, 17 | { 18 | "title": "Ubiquiti (Unifi) Ace Reporter Event", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: %{GREEDYDATA:object}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "CHANGE-ME-UBIQUITI" 30 | }, 31 | { 32 | "title": "Ubiquiti (Unifi) Disconnect Event", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "\\(\\\"%{HOSTNAME:hostname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}\\[%{DATA:session}\\]: %{GREEDYDATA:event}" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "dropbear" 44 | }, 45 | { 46 | "title": "Ubiquiti (Unifi) syslog Event", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: %{DATA:command}: %{DATA:objectname} %{DATA:sinterface}: %{DATA:smac} \\/ %{IPV4:sip}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "syslog:" 58 | }, 59 | { 60 | "title": "Ubiquiti (Unifi) fwlog Event", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: \\[%{DATA:duration}\\] \\[%{DATA:object}\\] FWLOG: \\[%{DATA:session}\\] %{DATA:object} %{GREEDYDATA:junk}" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "FWLOG:" 72 | }, 73 | { 74 | "title": "Ubiquiti (Unifi) kernel Event", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "", 81 | "extractor_config": { 82 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: \\[%{DATA:duration}\\] %{DATA:sinterface}: %{GREEDYDATA:object}" 83 | }, 84 | "condition_type": "string", 85 | "condition_value": "kernel:" 86 | }, 87 | { 88 | "title": "Ubiquiti (Unifi) init Event", 89 | "extractor_type": "grok", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "", 95 | "extractor_config": { 96 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: %{GREEDYDATA:object}" 97 | }, 98 | "condition_type": "string", 99 | "condition_value": "init:" 100 | }, 101 | { 102 | "title": "Ubiquiti (Unifi) syswrapper Event", 103 | "extractor_type": "grok", 104 | "converters": [], 105 | "order": 0, 106 | "cursor_strategy": "copy", 107 | "source_field": "message", 108 | "target_field": "", 109 | "extractor_config": { 110 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: %{GREEDYDATA:object}" 111 | }, 112 | "condition_type": "string", 113 | "condition_value": "syswrapper:" 114 | }, 115 | { 116 | "title": "Ubiquiti (Unifi) hostapd Event", 117 | "extractor_type": "grok", 118 | "converters": [], 119 | "order": 0, 120 | "cursor_strategy": "copy", 121 | "source_field": "message", 122 | "target_field": "", 123 | "extractor_config": { 124 | "grok_pattern": "\\(\\\"%{HOSTNAME:sname},%{DATA:objectname},%{DATA:version}\\\"\\) %{DATA:process}: %{DATA:sinterface}: %{DATA:objectname} %{DATA:smac} %{GREEDYDATA:object}" 125 | }, 126 | "condition_type": "string", 127 | "condition_value": "hostapd:" 128 | }, 129 | { 130 | "title": "Ubiquiti (EdgeRouter-X) DHCP-Offer", 131 | "extractor_type": "grok", 132 | "converters": [], 133 | "order": 0, 134 | "cursor_strategy": "copy", 135 | "source_field": "message", 136 | "target_field": "", 137 | "extractor_config": { 138 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} on %{IPV4:dip} to %{DATA:dmac} \\(%{HOSTNAME:dname}\\) via %{DATA:sinterface}" 139 | }, 140 | "condition_type": "string", 141 | "condition_value": "DHCPOFFER" 142 | }, 143 | { 144 | "title": "Ubiquiti (EdgeRouter-X) DHCP-Request", 145 | "extractor_type": "grok", 146 | "converters": [], 147 | "order": 0, 148 | "cursor_strategy": "copy", 149 | "source_field": "message", 150 | "target_field": "", 151 | "extractor_config": { 152 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} for %{IPV4:dip} \\(%{IPV4:sip}\\) from %{DATA:dmac} \\(%{HOSTNAME:dname}\\) via %{DATA:sinterface}" 153 | }, 154 | "condition_type": "string", 155 | "condition_value": "DHCPREQUEST" 156 | }, 157 | { 158 | "title": "Ubiquiti (EdgeRouter-X) DHCP-Acknowledge", 159 | "extractor_type": "grok", 160 | "converters": [], 161 | "order": 0, 162 | "cursor_strategy": "copy", 163 | "source_field": "message", 164 | "target_field": "", 165 | "extractor_config": { 166 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} on %{IPV4:dip} to %{DATA:dmac} \\(%{HOSTNAME:dname}\\) via %{DATA:sinterface}" 167 | }, 168 | "condition_type": "string", 169 | "condition_value": "DHCPACK" 170 | }, 171 | { 172 | "title": "Ubiquiti (EdgeRouter-X) DHCP [WAN] Client(1)", 173 | "extractor_type": "grok", 174 | "converters": [], 175 | "order": 0, 176 | "cursor_strategy": "copy", 177 | "source_field": "message", 178 | "target_field": "", 179 | "extractor_config": { 180 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: bound to %{IPV4:sip} -- %{GREEDYDATA:object}" 181 | }, 182 | "condition_type": "string", 183 | "condition_value": "dhclient" 184 | }, 185 | { 186 | "title": "Ubiquiti (EdgeRouter-X) DHCP [WAN] Client(3)", 187 | "extractor_type": "grok", 188 | "converters": [], 189 | "order": 0, 190 | "cursor_strategy": "copy", 191 | "source_field": "message", 192 | "target_field": "", 193 | "extractor_config": { 194 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} from %{IPV4:dip}" 195 | }, 196 | "condition_type": "string", 197 | "condition_value": "dhclient" 198 | }, 199 | { 200 | "title": "Ubiquiti (EdgeRouter-X) DHCP [WAN] Client(2)", 201 | "extractor_type": "grok", 202 | "converters": [], 203 | "order": 0, 204 | "cursor_strategy": "copy", 205 | "source_field": "message", 206 | "target_field": "", 207 | "extractor_config": { 208 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} on %{DATA:sinterface} to %{IPV4:dip} port %{BASE10NUM:dport}" 209 | }, 210 | "condition_type": "string", 211 | "condition_value": "dhclient" 212 | }, 213 | { 214 | "title": "Ubiquiti (EdgeRouter-X) CRON-Execution", 215 | "extractor_type": "grok", 216 | "converters": [], 217 | "order": 0, 218 | "cursor_strategy": "copy", 219 | "source_field": "message", 220 | "target_field": "", 221 | "extractor_config": { 222 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:session}]: \\(%{DATA:login}\\) CMD %{GREEDYDATA:command}" 223 | }, 224 | "condition_type": "string", 225 | "condition_value": "/USR/BIN/CRON" 226 | }, 227 | { 228 | "title": "Ubiquiti (EdgeRouter-X) CRON General Message", 229 | "extractor_type": "grok", 230 | "converters": [], 231 | "order": 0, 232 | "cursor_strategy": "copy", 233 | "source_field": "message", 234 | "target_field": "", 235 | "extractor_config": { 236 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{BASE10NUM:session}\\]: %{DATA:objectname}: %{GREEDYDATA:object}" 237 | }, 238 | "condition_type": "string", 239 | "condition_value": "CRON" 240 | }, 241 | { 242 | "title": "Ubiquiti (EdgeRouter-X) DHCP-Discover", 243 | "extractor_type": "grok", 244 | "converters": [], 245 | "order": 0, 246 | "cursor_strategy": "copy", 247 | "source_field": "message", 248 | "target_field": "", 249 | "extractor_config": { 250 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command} from %{DATA:dmac} \\(%{HOSTNAME:dname}\\) via %{DATA:sinterface}" 251 | }, 252 | "condition_type": "string", 253 | "condition_value": "DHCPDISCOVER" 254 | }, 255 | { 256 | "title": "Ubiquiti (EdgeRouter-X) DHCP General Message", 257 | "extractor_type": "grok", 258 | "converters": [], 259 | "order": 0, 260 | "cursor_strategy": "copy", 261 | "source_field": "message", 262 | "target_field": "", 263 | "extractor_config": { 264 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:payload}" 265 | }, 266 | "condition_type": "string", 267 | "condition_value": "dhcpd" 268 | }, 269 | { 270 | "title": "Ubiquiti (Unifi) Sudo Session Event", 271 | "extractor_type": "grok", 272 | "converters": [], 273 | "order": 0, 274 | "cursor_strategy": "copy", 275 | "source_field": "message", 276 | "target_field": "", 277 | "extractor_config": { 278 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:account}: %{DATA:process}: %{GREEDYDATA:object}" 279 | }, 280 | "condition_type": "string", 281 | "condition_value": "pam_unix(sudo:session)" 282 | } 283 | ], 284 | "version": "2.2.0-SNAPSHOT" 285 | } -------------------------------------------------------------------------------- /GRAYLOG_Untangle-v12_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "com.untangle.node.application_control_lite.ApplicationControlLiteEvent", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 5, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "message", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"protocol\\\":%{DATA:protocol},\\\"blocked\\\":%{DATA:blocked},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "com.untangle.node.application_control_lite.ApplicationControlLiteEvent" 16 | }, 17 | { 18 | "title": "com.untangle.uvm.node.SessionMinuteEvent", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 3, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "message", 25 | "extractor_config": { 26 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"c2sBytes\\\":%{BASE10NUM:bytesIn},\\\"sessionId\\\":%{BASE10NUM:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"s2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "com.untangle.uvm.node.SessionMinuteEvent" 30 | }, 31 | { 32 | "title": "com.untangle.node.intrusion_prevention.IntrusionPreventionLogEvent", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 4, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "message", 39 | "extractor_config": { 40 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"msg\\\":\\\"%{DATA:ids_rule}\\\",\\\"ipDestination\\\":\\\"/%{IPV4:dip}\\\",\\\"classtype\\\":\\\"%{DATA:ids_classtype}\\\",\\\"signatureId\\\":%{BASE10NUM:ids_signatureId},\\\"sportItype\\\":%{BASE10NUM:sport},\\\"mplsLabel\\\":%{BASE10NUM:mplsLabel},\\\"eventMicrosecond\\\":%{BASE10NUM:microsecond},\\\"sensorId\\\":%{BASE10NUM:sensorId},\\\"priorityId\\\":%{BASE10NUM:priority},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\",\\\"generatorId\\\":%{BASE10NUM:ruleId},\\\"protocol\\\":%{BASE10NUM:protocol},\\\"blocked\\\":%{BASE10NUM:blocked},\\\"signatureRevision\\\":%{BASE10NUM:ids_signature},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"dportIcode\\\":%{BASE10NUM:dport},\\\"eventId\\\":%{BASE10NUM:eventId},\\\"padding\\\":%{BASE10NUM:padding},\\\"impactFlag\\\":%{BASE10NUM:ids_impactflag},\\\"vlanId\\\":%{BASE10NUM:vlanId},\\\"eventSecond\\\":%{BASE10NUM:seconds},\\\"impact\\\":%{BASE10NUM:ids_impact},\\\"ipSource\\\":\\\"/%{IPV4:sip}\\\",\\\"eventType\\\":%{DATA:ids_eventType},\\\"classificationId\\\":%{BASE10NUM:ids_classificationId},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"category\\\":\\\"%{DATA:ids_category}\\\"" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "com.untangle.node.intrusion_prevention.IntrusionPreventionLogEvent" 44 | }, 45 | { 46 | "title": "com.untangle.uvm.node.SessionNatEvent", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 1, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "message", 53 | "extractor_config": { 54 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"SClientPort\\\":%{BASE10NUM:sport},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"SClientAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\"" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "com.untangle.uvm.node.SessionNatEvent" 58 | }, 59 | { 60 | "title": "com.untangle.node.firewall.FirewallEvent", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 6, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "message", 67 | "extractor_config": { 68 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"flagged\\\":%{DATA:flagged},\\\"blocked\\\":%{DATA:blocked},\\\"sessionId\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"ruleId\\\":%{BASE10NUM:ruleId},\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "com.untangle.node.firewall.FirewallEvent" 72 | }, 73 | { 74 | "title": "com.untangle.uvm.logging.InterfaceStatEvent", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 8, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "message", 81 | "extractor_config": { 82 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}" 83 | }, 84 | "condition_type": "string", 85 | "condition_value": "com.untangle.uvm.logging.InterfaceStatEvent" 86 | }, 87 | { 88 | "title": "com.untangle.node.http.HttpRequestEvent", 89 | "extractor_type": "grok", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "message", 95 | "extractor_config": { 96 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"contentLength\\\":%{BASE10NUM:bytesIn},\\\"requestLine\\\":\\\"%{DATA:URL}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"contentType\\\":\\\"%{DATA:contentType}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"httpRequestEvent\\\":\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{HOSTNAME:hostname}\\\",\\\"contentLength\\\":%{BASE10NUM:bytesOut},\\\"requestUri\\\":\\\"%{DATA:requestUri}\\\",\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:entitled},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable},\\\"protocol\\\":%{BASE10NUM:protocol},\\\"hostname\\\":\\\"", 97 | "named_captures_only": true 98 | }, 99 | "condition_type": "string", 100 | "condition_value": "com.untangle.node.http.HttpRequestEvent" 101 | }, 102 | { 103 | "title": "com.untangle.uvm.node.SessionStatsEvent", 104 | "extractor_type": "grok", 105 | "converters": [], 106 | "order": 2, 107 | "cursor_strategy": "copy", 108 | "source_field": "message", 109 | "target_field": "message", 110 | "extractor_config": { 111 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2sBytes\":%{BASE10NUM:bytesOut},\\\"endTime\\\":%{BASE10NUM:sessionTime},\\\"sessionId\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"", 112 | "named_captures_only": true 113 | }, 114 | "condition_type": "string", 115 | "condition_value": "com.untangle.uvm.node.SessionStatsEvent" 116 | }, 117 | { 118 | "title": "com.untangle.uvm.node.SessionEvent", 119 | "extractor_type": "grok", 120 | "converters": [], 121 | "order": 7, 122 | "cursor_strategy": "copy", 123 | "source_field": "message", 124 | "target_field": "message", 125 | "extractor_config": { 126 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <> %{DATA:severity} %{DATA:tag}\\{\\\"entitled\\\":%{DATA:entitled},\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\",\\\"protocol\\\":%{BASE10NUM:protocol},\\\"hostname\\\":\\\"%{HOSTNAME:hostname}\\\",\\\"CServerPort\\\":%{BASE10NUM:dport},\\\"protocolName\\\":%{DATA:protocol},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"class\\\":\\\"class %{DATA:class}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:dinterface},\\\"CClientAddr\\\":\\\"/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:dst_country}\\\",\\\"sessionId\\\":%{BASE10NUM:session},\\\"SClientAddr\\\":\\\"/%{IPV4:sip}\",\\\"clientCountry\\\":\\\"%{DATA:src_country}\\\",\\\"CClientPort\\\":%{BASE10NUM:sport},\\\"policyRuleId\\\":%{BASE10NUM:ruleId},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:sinterface},\\\"policyId\\\":%{BASE10NUM:policyId},\\\"SClientPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:bypassed},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"CServerAddr\\\":\\\"/%{IPV4:sip}\\\"}", 127 | "named_captures_only": true 128 | }, 129 | "condition_type": "string", 130 | "condition_value": "com.untangle.uvm.node.SessionEvent" 131 | } 132 | ], 133 | "version": "2.2.0-SNAPSHOT" 134 | } -------------------------------------------------------------------------------- /GRAYLOG_Untangle-v13_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "com.untangle.app.firewall.FirewallEvent", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"flagged\\\":%{DATA:junk},\\\"blocked\\\":%{DATA:junk},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"ruleId\\\":%{DATA:policyrule},\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "class com.untangle.app.firewall.FirewallEvent" 16 | }, 17 | { 18 | "title": "com.untangle.uvm.HostTableEvent", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"address\\\":\\\"/%{IPV4:sip}\\\",\\\"oldValue\\\":\\\"%{DATA:objectprevname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"value\\\":\\\"%{DATA:objectname}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"key\\\":\\\"%{DATA:process}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "class com.untangle.uvm.HostTableEvent" 30 | }, 31 | { 32 | "title": "com.untangle.uvm.logging.InterfaceStatEvent(2)", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "com.untangle.uvm.logging.InterfaceStatEvent" 44 | }, 45 | { 46 | "title": "com.untangle.uvm.logging.InterfaceStatEvent", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 8, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "message", 53 | "extractor_config": { 54 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"class %{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "com.untangle.uvm.logging.InterfaceStatEvent" 58 | }, 59 | { 60 | "title": "com.untangle.app.application_control_lite.ApplicationControlLiteEvent", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"protocol\\\":\\\"%{DATA:protname}\\\",\\\"blocked\\\":%{DATA:junk},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "com.untangle.app.application_control_lite.ApplicationControlLiteEvent" 72 | }, 73 | { 74 | "title": "com.untangle.uvm.app.SessionMinuteEvent", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "", 81 | "extractor_config": { 82 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"c2sBytes\\\":%{BASE10NUM:bytesIn},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"s2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\"\\}" 83 | }, 84 | "condition_type": "string", 85 | "condition_value": "com.untangle.uvm.app.SessionMinuteEvent" 86 | }, 87 | { 88 | "title": "com.untangle.uvm.app.SessionStatsEvent(3)", 89 | "extractor_type": "grok", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "", 95 | "extractor_config": { 96 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesOut},\\\"p2sBytes\\\":%{BASE10NUM:bytesIn},\\\"endTime\\\":%{DATA:timeend},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"c2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 97 | }, 98 | "condition_type": "string", 99 | "condition_value": "class com.untangle.uvm.app.SessionStatsEvent" 100 | }, 101 | { 102 | "title": "com.untangle.uvm.app.SessionEvent", 103 | "extractor_type": "grok", 104 | "converters": [], 105 | "order": 0, 106 | "cursor_strategy": "copy", 107 | "source_field": "message", 108 | "target_field": "", 109 | "extractor_config": { 110 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{DATA:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{DATA:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"policyRuleId\\\":%{DATA:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\}" 111 | }, 112 | "condition_type": "string", 113 | "condition_value": "com.untangle.uvm.app.SessionEvent" 114 | }, 115 | { 116 | "title": "com.untangle.uvm.app.SessionEvent(2)", 117 | "extractor_type": "grok", 118 | "converters": [], 119 | "order": 0, 120 | "cursor_strategy": "copy", 121 | "source_field": "message", 122 | "target_field": "", 123 | "extractor_config": { 124 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"entitled\\\":%{DATA:junk},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"clientIntf\\\":%{DATA:dinterface},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{DATA:policy},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"localAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{DATA:sinterface}\\}" 125 | }, 126 | "condition_type": "string", 127 | "condition_value": "com.untangle.uvm.app.SessionEvent" 128 | }, 129 | { 130 | "title": "com.untangle.uvm.app.SessionStatsEvent", 131 | "extractor_type": "grok", 132 | "converters": [], 133 | "order": 0, 134 | "cursor_strategy": "copy", 135 | "source_field": "message", 136 | "target_field": "", 137 | "extractor_config": { 138 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2sBytes\\\":%{BASE10NUM:bytesOut},\\\"endTime\\\":%{DATA:duration},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"%{DATA:objectname}\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{DATA:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"policyRuleId\\\":%{DATA:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"},\\\"c2pBytes\\\":%{DATA:bytesOut},\\\"p2cBytes\\\":%{BASE10NUM:bytesIn},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 139 | }, 140 | "condition_type": "string", 141 | "condition_value": "class com.untangle.uvm.app.SessionStatsEvent" 142 | }, 143 | { 144 | "title": "com.untangle.uvm.logging.SystemStatEvent", 145 | "extractor_type": "grok", 146 | "converters": [], 147 | "order": 0, 148 | "cursor_strategy": "copy", 149 | "source_field": "message", 150 | "target_field": "", 151 | "extractor_config": { 152 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{%{GREEDYDATA:junk},\\\"class\\\":\\\"%{DATA:object}\\\",%{GREEDYDATA:junk},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",%{GREEDYDATA:junk}\\}" 153 | }, 154 | "condition_type": "string", 155 | "condition_value": "com.untangle.uvm.logging.SystemStatEvent" 156 | }, 157 | { 158 | "title": "com.untangle.uvm.DeviceTableEntry", 159 | "extractor_type": "grok", 160 | "converters": [], 161 | "order": 0, 162 | "cursor_strategy": "copy", 163 | "source_field": "message", 164 | "target_field": "", 165 | "extractor_config": { 166 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"macAddress\\\":\\\"%{DATA:smac}\\\",\\\"oldValue\\\":\\\"%{DATA:junk}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"device\\\":\\{\\\"macAddress\\\":\\\"%{DATA:smac}\\\",\\\"macVendor\\\":\\\"%{DATA:junk}\\\",\\\"hostnameLastKnown\\\":\\\"%{HOSTNAME:sname}\\\",\\\"lastSessionTime\\\":%{DATA:session},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"httpUserAgent\\\":\\\"%{DATA:version}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"tags\\\":%{DATA:junk},\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\},\\\"value\\\":\\\"%{DATA:version}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"key\\\":\\\"%{DATA:objectname}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 167 | }, 168 | "condition_type": "string", 169 | "condition_value": "com.untangle.uvm.DeviceTableEntry" 170 | }, 171 | { 172 | "title": "requestUri (Truncated)", 173 | "extractor_type": "grok", 174 | "converters": [], 175 | "order": 0, 176 | "cursor_strategy": "copy", 177 | "source_field": "message", 178 | "target_field": "", 179 | "extractor_config": { 180 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"referer\\\":\\\"%{DATA:URL}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{DATA:dname}\\\",\\\"contentLength\\\":%{DATA:size},\\\"requestUri\\\":\\\"%{GREEDYDATA:URI}" 181 | }, 182 | "condition_type": "string", 183 | "condition_value": "requestUri" 184 | }, 185 | { 186 | "title": "com.untangle.app.http.HttpRequestEvent(2)", 187 | "extractor_type": "grok", 188 | "converters": [], 189 | "order": 0, 190 | "cursor_strategy": "copy", 191 | "source_field": "message", 192 | "target_field": "", 193 | "extractor_config": { 194 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{DATA:URL}\\\",\\\"contentLength\\\":%{DATA:size},\\\"requestUri\\\":\\\"%{DATA:URI}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk}\\,\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"%{GREEDYDATA:payload}" 195 | }, 196 | "condition_type": "string", 197 | "condition_value": "com.untangle.app.http.HttpRequestEvent" 198 | }, 199 | { 200 | "title": "com.untangle.app.intrusion_prevention.IntrusionPreventionLogEvent", 201 | "extractor_type": "grok", 202 | "converters": [], 203 | "order": 0, 204 | "cursor_strategy": "copy", 205 | "source_field": "message", 206 | "target_field": "", 207 | "extractor_config": { 208 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"msg\\\":\\\"%{DATA:object}\\\",\\\"ipDestination\\\":\\\"\\/%{IPV4:dip}\\\",\\\"classtype\\\":\\\"%{DATA:objectname}\\\",\\\"signatureId\\\":%{DATA:policy},\\\"sportItype\\\":%{BASE10NUM:sport},\\\"mplsLabel\\\":%{DATA:junk},\\\"eventMicrosecond\\\":%{DATA:duration},\\\"sensorId\\\":%{DATA:junk},\\\"priorityId\\\":%{BASE10NUM:policyId},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"generatorId\\\":%{DATA:junk},\\\"protocol\\\":%{DATA:protnum},\\\"blocked\\\":%{DATA:junk},\\\"signatureRevision\\\":%{DATA:version},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"dportIcode\\\":%{BASE10NUM:dport},\\\"eventId\\\":%{DATA:vmid},\\\"padding\\\":%{DATA:junk},\\\"impactFlag\\\":%{DATA:junk},\\\"vlanId\\\":%{DATA:junk},\\\"eventSecond\\\":%{DATA:timestart},\\\"impact\\\":%{DATA:junk},\\\"ipSource\\\":\\\"\\/%{IPV4:sip}\\\",\\\"eventType\\\":%{DATA:policyrule},\\\"classificationId\\\":%{DATA:junk},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"category\\\":\\\"%{DATA:command}\\\"\\}" 209 | }, 210 | "condition_type": "string", 211 | "condition_value": "com.untangle.app.intrusion_prevention.IntrusionPreventionLogEvent" 212 | }, 213 | { 214 | "title": "com.untangle.uvm.app.SessionNatEvent", 215 | "extractor_type": "grok", 216 | "converters": [], 217 | "order": 0, 218 | "cursor_strategy": "copy", 219 | "source_field": "message", 220 | "target_field": "", 221 | "extractor_config": { 222 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"SClientPort\\\":%{BASE10NUM:dnatport},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:junk}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:snatport},\\\"policyRuleId\\\":%{BASE10NUM:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dnatport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"\\\"\\},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 223 | }, 224 | "condition_type": "string", 225 | "condition_value": "com.untangle.uvm.app.SessionNatEvent" 226 | }, 227 | { 228 | "title": "com.untangle.app.ad_blocker.cookies.CookieEvent", 229 | "extractor_type": "grok", 230 | "converters": [], 231 | "order": 0, 232 | "cursor_strategy": "copy", 233 | "source_field": "message", 234 | "target_field": "", 235 | "extractor_config": { 236 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"identification\\\":\\\"%{DATA:URL}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:junk}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{DATA:dport},\\\"policyRuleId\\\":%{BASE10NUM:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}" 237 | }, 238 | "condition_type": "string", 239 | "condition_value": "com.untangle.app.ad_blocker.cookies.CookieEvent" 240 | }, 241 | { 242 | "title": "com.untangle.app.http.HttpResponseEvent (Truncated)", 243 | "extractor_type": "grok", 244 | "converters": [], 245 | "order": 0, 246 | "cursor_strategy": "copy", 247 | "source_field": "message", 248 | "target_field": "", 249 | "extractor_config": { 250 | "grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"contentLength\\\":%{BASE10NUM:size},\\\"requestLine\\\":\\\"%{DATA:command}\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"contentType\\\":\\\"%{DATA:objectname}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"httpRequestEvent\\\":%{GREEDYDATA:payload}" 251 | }, 252 | "condition_type": "string", 253 | "condition_value": "class com.untangle.app.http.HttpResponseEvent" 254 | }, 255 | { 256 | "title": "com.untangle.app.openvpn.OpenVpnStatusEvent", 257 | "extractor_type": "grok", 258 | "converters": [], 259 | "order": 0, 260 | "cursor_strategy": "copy", 261 | "source_field": "message", 262 | "target_field": "", 263 | "extractor_config": { 264 | "grok_pattern": "%{DATA:severity} %{DATA:junk}: \\{\\\"address\\\":\\\"\\/%{IPV4:sip}\\\",\\\"clientName\\\":\\\"%{DATA:account}\\\",\\\"start\\\":\\\"%{DATA:timestart}\\\",\\\"bytesTxDelta\\\":%{BASE10NUM:bytesout},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"timeStamp\\\":\"%{DATA:logstamp}\",\\\"bytesRxTotal\\\":%{BASE10NUM:bytesin},\"port\":%{BASE10NUM:sport},\\\"bytesTxTotal\\\":%{BASE10NUM:size},\\\"poolAddress\\\":\\\"\\/%{IPV4:dip}\\\",\\\"end\\\":\\\"%{DATA:timestop}\",\\\"tag\\\":\\\"%{DATA:junk} \\\",\\\"bytesRxDelta\\\":%{BASE10NUM:rate},\\\"class\\\":\\\"class %{DATA:object}\\\"\\}" 265 | }, 266 | "condition_type": "string", 267 | "condition_value": "com.untangle.app.openvpn.OpenVpnStatusEvent" 268 | } 269 | ], 270 | "version": "2.3.1" 271 | } 272 | -------------------------------------------------------------------------------- /GRAYLOG_VMware_ESX_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "VMware (crond) Process", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} crond\\[%{DATA:session}\\]: %{DATA:process}: USER %{DATA:login} pid %{BASE10NUM:processId} cmd %{GREEDYDATA:command}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "crond:" 16 | }, 17 | { 18 | "title": "VMware (syslog) Process", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}\\[%{DATA:session}\\]: %{GREEDYDATA:object}" 27 | }, 28 | "condition_type": "string", 29 | "condition_value": "syslog[" 30 | }, 31 | { 32 | "title": "VMware (root) Process", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:login}: %{DATA:command}: %{GREEDYDATA:object}" 41 | }, 42 | "condition_type": "string", 43 | "condition_value": "root:" 44 | }, 45 | { 46 | "title": "VMware (smartd) Process", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:command}: %{GREEDYDATA:object}" 55 | }, 56 | "condition_type": "string", 57 | "condition_value": "smartd:" 58 | }, 59 | { 60 | "title": "VMware (hostd-probe) Process", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:severity} hostd-probe\\[%{DATA:session}\\] %{GREEDYDATA:object}" 69 | }, 70 | "condition_type": "string", 71 | "condition_value": "hostd-probe:" 72 | }, 73 | { 74 | "title": "VMware (vmkernel) Process", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "", 81 | "extractor_config": { 82 | "grok_pattern": "%{HOSTNAME:sname} vmkernel: %{DATA:process}\\)%{DATA:command}: %{DATA:session}: %{GREEDYDATA:object}" 83 | }, 84 | "condition_type": "string", 85 | "condition_value": "vmkernel:" 86 | }, 87 | { 88 | "title": "VMware (rhttpproxy:Type-1) Process", 89 | "extractor_type": "grok", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "", 95 | "extractor_config": { 96 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:severity} rhttpproxy\\[%{DATA:session}\\] %{GREEDYDATA:object}" 97 | }, 98 | "condition_type": "string", 99 | "condition_value": "Rhttpproxy:" 100 | }, 101 | { 102 | "title": "VMware (hostd:Type-1) Process", 103 | "extractor_type": "grok", 104 | "converters": [], 105 | "order": 0, 106 | "cursor_strategy": "copy", 107 | "source_field": "message", 108 | "target_field": "", 109 | "extractor_config": { 110 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{DATA:severity} hostd\\[%{DATA:session}\\] %{GREEDYDATA:object}" 111 | }, 112 | "condition_type": "string", 113 | "condition_value": "Hostd:" 114 | }, 115 | { 116 | "title": "VMware (cimslp) Process", 117 | "extractor_type": "grok", 118 | "converters": [], 119 | "order": 0, 120 | "cursor_strategy": "copy", 121 | "source_field": "message", 122 | "target_field": "", 123 | "extractor_config": { 124 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: %{GREEDYDATA:object}" 125 | }, 126 | "condition_type": "string", 127 | "condition_value": "cimslp:" 128 | }, 129 | { 130 | "title": "VMware (hostd:Type-3) Process", 131 | "extractor_type": "grok", 132 | "converters": [], 133 | "order": 0, 134 | "cursor_strategy": "copy", 135 | "source_field": "message", 136 | "target_field": "", 137 | "extractor_config": { 138 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: --> %{GREEDYDATA:object}" 139 | }, 140 | "condition_type": "string", 141 | "condition_value": "Hostd:" 142 | }, 143 | { 144 | "title": "VMware (hostd-probe:Type-2) Process", 145 | "extractor_type": "grok", 146 | "converters": [], 147 | "order": 0, 148 | "cursor_strategy": "copy", 149 | "source_field": "message", 150 | "target_field": "", 151 | "extractor_config": { 152 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\'\\] %{GREEDYDATA:object}" 153 | }, 154 | "condition_type": "string", 155 | "condition_value": "hostd-probe:" 156 | }, 157 | { 158 | "title": "VMware (hostd:Type-2) Process", 159 | "extractor_type": "grok", 160 | "converters": [], 161 | "order": 0, 162 | "cursor_strategy": "copy", 163 | "source_field": "message", 164 | "target_field": "", 165 | "extractor_config": { 166 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\'] %{GREEDYDATA:object}" 167 | }, 168 | "condition_type": "string", 169 | "condition_value": "Hostd:" 170 | }, 171 | { 172 | "title": "VMware (vpxa:Type-2) Process", 173 | "extractor_type": "grok", 174 | "converters": [], 175 | "order": 0, 176 | "cursor_strategy": "copy", 177 | "source_field": "message", 178 | "target_field": "", 179 | "extractor_config": { 180 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\'] %{GREEDYDATA:object}" 181 | }, 182 | "condition_type": "string", 183 | "condition_value": "Vpxa:" 184 | }, 185 | { 186 | "title": "VMware (rhttpproxy:Type-2) Process", 187 | "extractor_type": "grok", 188 | "converters": [], 189 | "order": 0, 190 | "cursor_strategy": "copy", 191 | "source_field": "message", 192 | "target_field": "", 193 | "extractor_config": { 194 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\'\\] %{GREEDYDATA:object}" 195 | }, 196 | "condition_type": "string", 197 | "condition_value": "Rhttpproxy:" 198 | }, 199 | { 200 | "title": "VMware (hostd:Type-4) Process", 201 | "extractor_type": "grok", 202 | "converters": [], 203 | "order": 0, 204 | "cursor_strategy": "copy", 205 | "source_field": "message", 206 | "target_field": "", 207 | "extractor_config": { 208 | "grok_pattern": "%{HOSTNAME:sname} Hostd: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\' opID=%{DATA:command} user=%{DATA:login}\\] %{GREEDYDATA:object}" 209 | }, 210 | "condition_type": "string", 211 | "condition_value": "Hostd:" 212 | }, 213 | { 214 | "title": "VMware (vpxa:Type-3) Process", 215 | "extractor_type": "grok", 216 | "converters": [], 217 | "order": 0, 218 | "cursor_strategy": "copy", 219 | "source_field": "message", 220 | "target_field": "", 221 | "extractor_config": { 222 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\' opID=%{DATA:objectname}\\] %{GREEDYDATA:object}" 223 | }, 224 | "condition_type": "string", 225 | "condition_value": "Vpxa:" 226 | }, 227 | { 228 | "title": "VMware (vpxa:Type-1) Process", 229 | "extractor_type": "grok", 230 | "converters": [], 231 | "order": 0, 232 | "cursor_strategy": "copy", 233 | "source_field": "message", 234 | "target_field": "", 235 | "extractor_config": { 236 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:command}: \\[%{DATA:session} %{DATA:severity} \\'%{DATA:process}\\' opID=%{DATA:objectname}\\] \\[%{DATA:command}\\] %{GREEDYDATA:object}" 237 | }, 238 | "condition_type": "string", 239 | "condition_value": "Vpxa:" 240 | } 241 | ], 242 | "version": "2.2.0-SNAPSHOT" 243 | } -------------------------------------------------------------------------------- /GRAYLOG_hMailServer_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "hMailServer", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{HOSTNAME:sname} %{DATA:process}: \\\"%{DATA:objectname}\\\"\t%{DATA:vmid}\t%{DATA:session}\t\\\"%{DATA:logstamp}\\\"\t\\\"%{IPV4:sip}\\\"\t\\\"%{DATA:command}\\\" \\[%{DATA:object}\\]" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "CHANGE-ME-HMAILSERVER-HOSTNAME" 16 | }, 17 | ], 18 | "version": "2.2.0-SNAPSHOT" 19 | } -------------------------------------------------------------------------------- /GRAYLOG_pfSense_Extractors.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "pfSense Firewall WebFilter Log", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{DATA:process}: %{DATA:ruleId},%{DATA:subruleId},%{DATA:anchor},%{BASE10NUM:tracker},%{DATA:sinterface},%{DATA:objectname},%{DATA:command},%{DATA:direction},%{BASE10NUM:iptype},%{DATA:offset},%{DATA:tos},%{DATA:ecn},%{BASE10NUM:duration},%{BASE10NUM:session},%{DATA:flags},%{BASE10NUM:protnum},%{DATA:protocol},%{BASE10NUM:size},%{IPV4:sip},%{IPV4:dip},%{BASE10NUM:tcp_flags},%{BASE10NUM:sequence},%{BASE10NUM:ack}" 13 | }, 14 | "condition_type": "string", 15 | "condition_value": "filterlog:" 16 | } 17 | ], 18 | "version": "2.2.0-SNAPSHOT" 19 | } 20 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | These extractors are considered OPEN SOURCE; using export from a live GrayLog system using sample (live) data. 2 | Data Fields have been normalized to work with most installations of either GrayLog or the product which the extractor was intended for. 3 | The creator of these files is in no way responsible for any changes/modifications or performance impacts on the system they are being implemented on. Users of these files may update/modify them to suit there individual deployments of GrayLog 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | The following GITHUB repo contains .JSON Extractor files (Log Parsers) for use with GrayLog 2.2.x and above: 2 | these include: 3 | 4 | - Untangle NG Firewall version 12 5 | - Untangle NG Firewall version 13 6 | - Symantec (BlueCoat) SSLV version 3.x+ 7 | - pfSense / OPNsense Firewall 8 | - Ubiquiti Unifi and EdgeRouterX 9 | - VMware ESX/ESXi and vCenter 5.5+ 10 | - hMailServer 11 | - LogRhythm Network Monitor (NetMon) 12 | - Infoblox NIOS 7.xx-8.xx 13 | - CISCO 3725 14 | -------------------------------------------------------------------------------- /gl_threatfeeds.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | #OpenSource Threat Feed Downloader 3 | #GITHUB: BREAKANDINSPECT 4 | #Use: ./gl_threatfeeds.sh 5 | # should be run from /etc/graylog/feeds 6 | # will require SUDO; could be CRON'd with modification 7 | #Last Updated: 9/19/2017 8 | FEEDDIR="/etc/graylog/feeds" 9 | 10 | convert_feed () { 11 | echo "Converting $1 to CSV ($2) using delimeter: '$3'" 12 | i=0 13 | cat $1 | while read line 14 | do 15 | let i++ 16 | echo "$i$3$line" >> $2 17 | done 18 | } 19 | cd $FEEDDIR 20 | rm -rf *.tmp 21 | rm -rf *.csv 22 | 23 | echo "Downloading Abuse.ch Feeds" 24 | 25 | wget https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist -O feed_abuse_domain.tmp 26 | 27 | wget https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist -O feed_abuse_IP.tmp 28 | 29 | wget https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist -O feed_zeus_domain.tmp 30 | echo "INDEX,URL" >> feed_zeus_domain.csv 31 | convert_feed feed_zeus_domain.tmp feed_zeus_domain.csv "," 32 | 33 | wget https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist -O feed_zeus_IP.tmp 34 | echo "INDEX,IPADDR" >> feed_zeus_IP.csv 35 | convert_feed feed_zeus_IP.tmp feed_zeus_IP.csv "," 36 | 37 | echo "Downloading AlienVault Feeds" 38 | 39 | wget https://reputation.alienvault.com/reputation.data -O feed_alienvault_IP.tmp 40 | echo "INDEX#IPADDR#Q1#Q2#DESCRIPTION#CC#LOCATION#GEO#Q3" >> feed_alienvault.csv 41 | convert_feed feed_alienvault_IP.tmp feed_alienvault.csv "#" 42 | 43 | echo "Downloading MalwareDomains Feeds" 44 | 45 | wget http://mirror1.malwaredomains.com/files/justdomains -O feed_mwd_domain.tmp 46 | echo "INDEX,URL" >> feed_mwd_domain.csv 47 | convert_feed feed_mwd_domain.tmp feed_mwd_domain.csv "," 48 | 49 | echo "Downloading MalwarePatrol Feeds" 50 | 51 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=clamav_basic" -O feed_mwp_clamav.tmp 52 | 53 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=mozilla_adblock" -O feed_mwp_mozilla.tmp 54 | echo "INDEX,URL" >> feed_mwp_mozilla.csv 55 | convert_feed feed_mwp_mozilla.tmp feed_mwp_mozilla.csv "," 56 | 57 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=dansguardian" -O feed_mwp_dansguardian.tmp 58 | echo "INDEX,URL" >> feed_mwp_dansguardian.csv 59 | convert_feed feed_mwp_dansguardian.tmp feed_mwp_dansguardian.csv "," 60 | 61 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=mailwasher" -O feed_mwp_mailwasher.tmp 62 | 63 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=postfix" -O feed_mwp_postfix.tmp 64 | 65 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=smoothwall" -O feed_mwp_smoothwall.tmp 66 | echo "INDEX,URL" >> feed_mwp_smoothwall.csv 67 | convert_feed feed_mwp_smoothwall.tmp feed_mwp_smoothwall.csv "," 68 | 69 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=spamassassin" -O feed_mwp_spamassassin.tmp 70 | 71 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=symantec_smtp_security" -O feed_mwp_symc-smtp.tmp 72 | echo "INDEX:STATUS:URL" >> feed_mwp_symc-smtp.csv 73 | convert_feed feed_mwp_symc-smtp.tmp feed_mwp_symc-smtp.csv ":" 74 | 75 | wget "https://lists.malwarepatrol.net/cgi/getfile?receipt=CHANGE_ME_MWP_PASSWORD&product=8&list=symantec_websecurity" -O feed_mwp_symc-web.tmp 76 | echo "INDEX,URL" >> feed_mwp_symc-web.csv 77 | convert_feed feed_mwp_symc-web.tmp feed_mwp_symc-web.csv "," 78 | 79 | #echo "Downloading SRI Feeds" 80 | #wget http://mtc.sri.com/live_data/attackers/ -O feed_sri_ip.csv 81 | 82 | echo "Downloading TOR Feeds" 83 | 84 | wget http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O feed_tor-exit_IP.tmp 85 | echo "INDEX,IPADDR" >> feed_tor-exit_IP.csv 86 | convert_feed feed_tor-exit_IP.tmp feed_tor-exit_IP.csv "," 87 | 88 | wget http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv -O feed_tor-all_IP.tmp 89 | echo "INDEX,IPADDR" >> feed_tor-all_IP.csv 90 | convert_feed feed_tor-all_IP.tmp feed_tor-all_IP.csv "," 91 | 92 | echo "Threat Feed Downloads ... Complete!" 93 | --------------------------------------------------------------------------------