├── translate └── translate.yml ├── README.md ├── 01-huawei.conf ├── huawei-elastic-template.json └── pattern └── huawei /translate/translate.yml: -------------------------------------------------------------------------------- 1 | "0" : "Emergency" 2 | "1" : "Alert" 3 | "2" : "Critical" 4 | "3" : "Error" 5 | "4" : "Warning" 6 | "5" : "Notice" 7 | "6" : "Informational" 8 | "7" : "Debug" 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Huawei-ELK 2 | 3 | 4 | Send log Network Device Huawei to **ELK** 5 | Support device Network Hauwei : 6 | 7 | |Device | Product | 8 | |----------|:----:| 9 | |**Firewall**| **USG6300**| 10 | |**Router**| **AR2200**| 11 | |**Core Switch**| **S12700**| 12 | |**Cloud Engine**| **CE12800**| 13 | 14 | ## Configure on All Device Huawei : 15 | 16 | [huawei] `info-center source default channel 2 ` 17 | 18 | [huawei] `info-center timestamp log none` 19 | 20 | [huawei] `info-center timestamp trap none` 21 | 22 | [huawei] `info-center timestamp debugging none` 23 | 24 | [huawei] `info-center loghost 192.168.137.1` *(IP server elk)* 25 | 26 | ## Specification ELK Server 27 | 28 | | Required | Version| 29 | |----------|:----:| 30 | |**Elasticsearch**|**7.5.0**| 31 | |**Logstash**|**7.5.0**| 32 | |**Kibana**|**7.5.0**| 33 | 34 | ## Plugins Logstash 35 | 36 | bin/logstash-plugin install **Name Plugins** 37 | 38 | |Plugin Name | Version 39 | |------------|:---| 40 | |**logstash-input-file**|latest| 41 | |**logstash-input-udp**|latest| 42 | |**logstash-input-syslog**|latest| 43 | |**logstash-filter-drop**|latest| 44 | |**logstash-filter-translate**|latest| 45 | |**logstash-filter-grok**|latest| 46 | |**logstash-output-elasticsearch**|latest| 47 | |***logstash-output-file***|latest| 48 | 49 | -------------------------------------------------------------------------------- /01-huawei.conf: -------------------------------------------------------------------------------- 1 | input { 2 | udp { 3 | port => 514 4 | type => Huawei 5 | } 6 | } 7 | 8 | filter { 9 | if [type] == "Huawei" { 10 | grok{ 11 | match => { "message" => "%{DISPLAY_CMDRECORD}" } #OK 12 | match => { "message" => "%{CMDRECORD}" } #OK 13 | match => { "message" => "%{LOGOUT}" } 14 | match => { "message" => "%{LOGIN}" } 15 | match => { "message" => "%{SSH_FAIL}" } 16 | match => { "message" => "%{LOGINFAILED}" } 17 | match => { "message" => "%{WEB}" } 18 | match => { "message" => "%{CMDCONFIRM_NOPROMPT}" } 19 | match => { "message" => "%{CMDCONFIRM_RECORD}" } 20 | match => { "message" => "%{CMDCONFIRM_UNIFORMRECORD}" } 21 | match => { "message" => "%{SSH_USER_LOGIN}" } 22 | match => { "message" => "%{SSH_USER_LOGIN_FAIL}" } 23 | match => { "message" => "%{SSH_USER_LOGOUT}" } 24 | 25 | 26 | 27 | ###firewall USG V500R005C10SPC300### 28 | match => { "message" => "%{PACKET_DENY}" } 29 | match => { "message" => "%{POLICYDENY}" } 30 | match => { "message" => "%{LOGINSUC}" } 31 | match => { "message" => "%{ADDOK}" } 32 | match => { "message" => "%{DELOK}" } 33 | match => { "message" => "%{DELALLOK}" } 34 | match => { "message" => "%{DETECT}" } 35 | match => { "message" => "%{BOTNET}" } 36 | match => { "message" => "%{CNC}" } 37 | match => { "message" => "%{EXCEPTION}" } 38 | match => { "message" => "%{TROJAN}" } 39 | match => { "message" => "%{WORM}" } 40 | match => { "message" => "%{AV}" } 41 | 42 | ###Router AR2200 ### 43 | match => { "message" => "%{STATE_CHG_UPDOWN}" } #Status BGP Peer 44 | match => { "message" => "%{IPV4_DEFT_RT_CHG}" } #Default Router 45 | 46 | ################################################ 47 | } 48 | 49 | ### record 50 | if [Brief] == "DISPLAY_CMDRECORD" or [Brief] == "CMDRECORD" or [Brief] == "CMDCONFIRM_NOPROMPT" or [Brief] == "CMDCONFIRM_RECORD" or [Brief] == "CMDCONFIRM_UNIFORMRECORD" 51 | { 52 | mutate { add_field => {"Alias" => "record"}} 53 | } 54 | 55 | ### auth 56 | 57 | if [Brief] == "LOGINFAILED" or [Brief] == "LOGIN" or [Brief] == "LOGOUT" or [Brief] == "SSH_FAIL" or [Brief] == "FAIL" or [Brief] == "OUT" or [Brief] == "PASS" or [Brief] == "USERLOGOUT" or [Brief] == "USERLOGIN" or [Brief] == "SSH_USER_LOGIN" or [Brief] == "SSH_USER_LOGIN_FAIL" or [Brief] == "SSH_USER_LOGOUT" or [Brief] == "LOGINOK" or [Brief] == "LOGINFAIL" 58 | { 59 | mutate { add_field => {"Alias" => "auth"}} 60 | } 61 | 62 | ### Logs Packet Deny 63 | if [Brief] == "PACKET_DENY" or [Brief] == "POLICYDENY" 64 | { 65 | mutate { add_field => {"Alias" => "traffic"}} 66 | } 67 | 68 | ### Login VPN 69 | if [Brief] == "LOGINSUC" or [Brief] == "USRPWDERR" or [Brief] == "USRPWDERR" or [Brief] == "SSLVPNLOGOUT" or [Brief] == "NESRV" 70 | { 71 | mutate { add_field => {"Alias" => "vpn"}} 72 | } 73 | 74 | 75 | ### Add Backlist 76 | if [Brief] == "ADDOK" or [Brief] == "DELOK" or [Brief] == "DELALLOK" 77 | { 78 | mutate { add_field => {"Alias" => "backlist"}} 79 | } 80 | 81 | ### IPS 82 | if [Brief] == "DETECT" or [Brief] == "BOTNET" or [Brief] == "CNC" or [Brief] == "EXCEPTION" or [Brief] == "TROJAN" or [Brief] == "WORM" or [Brief] == "ATTACK" 83 | { 84 | mutate { add_field => {"Alias" => "ips"}} 85 | } 86 | ### BGP 87 | if [Brief] == "STATE_CHG_UPDOWN" 88 | { 89 | mutate { add_field => {"Alias" => "bgp"}} 90 | } 91 | if [Brief] == "STATE_CHG_UPDOWN" 92 | { 93 | mutate { add_field => {"Alias" => "default router"}} 94 | } 95 | 96 | ### AV Antivirus 97 | if [Brief] == "VIRUS" 98 | { 99 | mutate { add_field => {"Alias" => "virus"}} 100 | } 101 | 102 | 103 | ### Translet UserType 104 | translate { 105 | field => "[Serverity]" 106 | destination => "[LogLevel]" 107 | override => "true" 108 | dictionary_path => "/etc/logstash/translate/translate.yml" 109 | } 110 | translate { 111 | field => "[host]" 112 | destination => "[Device]" 113 | override => "true" 114 | dictionary_path => "/etc/logstash/translate/device.yml" 115 | } 116 | ### Drop uder _system_ 117 | if "_system_" in [User] {drop {}} 118 | if "**" in [User] {drop {}} 119 | if "SECIF/6/STREAM" in [message] {drop {}} 120 | if "SEC/5/STREAM" in [message] {drop {}} 121 | if "STATSTREAM" in [message] {drop {}} 122 | if "SEC/5/STREAM6" in [message] {drop {}} 123 | if "SEC/4/SESSION" in [message] {drop {}} 124 | if "SEC/4/ATCKDF" in [message] {drop {}} 125 | mutate {remove_field => ["@version"]} 126 | mutate {remove_field => ["Serverity"]} 127 | mutate {rename => {"type" => "Type"}} 128 | #mutate {rename => {"message" => "Message"}} 129 | mutate {rename => {"host" => "Host"}} 130 | #mutate { add_field => "LogLevel"} 131 | #mutate { gsub => [ "msg", "\\n\\t", " " ] } 132 | 133 | ######################################### 134 | 135 | } 136 | } 137 | output { 138 | stdout { codec => rubydebug } 139 | if [Alias] == "auth" or [Alias] == "record"{ 140 | elasticsearch { 141 | hosts => "http://elastic:aristi@elastic:9200" 142 | index => "auth-%{+YYYY-MM-dd}" 143 | } 144 | } 145 | else if "_grokparsefailure" in [tags]{ 146 | elasticsearch { 147 | hosts => "http://elastic:user@password:9200" 148 | index => "grokparsefailure" 149 | } 150 | } 151 | else { 152 | elasticsearch { 153 | hosts => "http://elastic:user@password:9200" 154 | index => "network-%{+YYYY-MM-dd}" 155 | } 156 | } 157 | } 158 | 159 | -------------------------------------------------------------------------------- /huawei-elastic-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "network" : { 3 | "order" : 0, 4 | "index_patterns" : [ 5 | "auth*", 6 | "network*" 7 | ], 8 | "settings" : { 9 | "index" : { 10 | "number_of_shards" : "1", 11 | "number_of_replicas" : "0", 12 | "refresh_interval" : "5s" 13 | } 14 | }, 15 | "mappings" : { 16 | "dynamic_templates" : [ 17 | { 18 | "message_field" : { 19 | "path_match" : "message", 20 | "mapping" : { 21 | "norms" : false, 22 | "type" : "text" 23 | }, 24 | "match_mapping_type" : "string" 25 | } 26 | }, 27 | { 28 | "string_fields" : { 29 | "mapping" : { 30 | "norms" : false, 31 | "type" : "text", 32 | "fields" : { 33 | "keyword" : { 34 | "ignore_above" : 256, 35 | "type" : "keyword" 36 | } 37 | } 38 | }, 39 | "match_mapping_type" : "string", 40 | "match" : "*" 41 | } 42 | } 43 | ], 44 | "properties" : { 45 | "Policy" : { 46 | "type" : "keyword" 47 | }, 48 | "Task" : { 49 | "type" : "keyword" 50 | }, 51 | "DstZone" : { 52 | "type" : "keyword" 53 | }, 54 | "Os" : { 55 | "type" : "keyword" 56 | }, 57 | "Nexthop" : { 58 | "type" : "keyword" 59 | }, 60 | "Label" : { 61 | "type" : "keyword" 62 | }, 63 | "AuthenticationMethod" : { 64 | "type" : "keyword" 65 | }, 66 | "Hash" : { 67 | "type" : "keyword" 68 | }, 69 | "Brief" : { 70 | "type" : "keyword" 71 | }, 72 | "LogLevel" : { 73 | "type" : "keyword" 74 | }, 75 | "Result" : { 76 | "type" : "keyword" 77 | }, 78 | "DstLocation" : { 79 | "type" : "keyword" 80 | }, 81 | "ChangeType" : { 82 | "type" : "keyword" 83 | }, 84 | "StateChangeReason" : { 85 | "type" : "keyword" 86 | }, 87 | "SrcPort" : { 88 | "type" : "keyword" 89 | }, 90 | "IpVersion" : { 91 | "type" : "keyword" 92 | }, 93 | "InstanceId" : { 94 | "type" : "keyword" 95 | }, 96 | "Device" : { 97 | "type" : "keyword" 98 | }, 99 | "Timeout" : { 100 | "type" : "keyword" 101 | }, 102 | "IP" : { 103 | "type" : "keyword" 104 | }, 105 | "Peer" : { 106 | "type" : "keyword" 107 | }, 108 | "FailedReason" : { 109 | "type" : "keyword" 110 | }, 111 | "Hostname" : { 112 | "type" : "keyword" 113 | }, 114 | "rcvd" : { 115 | "type" : "keyword" 116 | }, 117 | "DstPort" : { 118 | "type" : "keyword" 119 | }, 120 | "sent" : { 121 | "type" : "keyword" 122 | }, 123 | "tags" : { 124 | "type" : "keyword" 125 | }, 126 | "Role" : { 127 | "type" : "keyword" 128 | }, 129 | "InstanceName" : { 130 | "type" : "keyword" 131 | }, 132 | "DetectionType" : { 133 | "type" : "keyword" 134 | }, 135 | "Neighbour" : { 136 | "type" : "keyword" 137 | }, 138 | "Preference" : { 139 | "type" : "keyword" 140 | }, 141 | "Application" : { 142 | "type" : "keyword" 143 | }, 144 | "UserType" : { 145 | "type" : "keyword" 146 | }, 147 | "Action" : { 148 | "type" : "keyword" 149 | }, 150 | "SignId" : { 151 | "type" : "keyword" 152 | }, 153 | "Category" : { 154 | "type" : "keyword" 155 | }, 156 | "Description" : { 157 | "type" : "keyword" 158 | }, 159 | "User" : { 160 | "type" : "keyword" 161 | }, 162 | "SyslogId" : { 163 | "type" : "keyword" 164 | }, 165 | "dst" : { 166 | "type" : "keyword" 167 | }, 168 | "ModuleName" : { 169 | "type" : "keyword" 170 | }, 171 | "FileName" : { 172 | "type" : "keyword" 173 | }, 174 | "SrcIp" : { 175 | "type" : "keyword" 176 | }, 177 | "Direction" : { 178 | "type" : "keyword" 179 | }, 180 | "Profile" : { 181 | "type" : "keyword" 182 | }, 183 | "Reason" : { 184 | "type" : "keyword" 185 | }, 186 | "StatusFrom" : { 187 | "type" : "keyword" 188 | }, 189 | "duration" : { 190 | "type" : "keyword" 191 | }, 192 | "Target" : { 193 | "type" : "keyword" 194 | }, 195 | "DstIp" : { 196 | "type" : "keyword" 197 | }, 198 | "StatusTo" : { 199 | "type" : "keyword" 200 | }, 201 | "SrcZone" : { 202 | "type" : "keyword" 203 | }, 204 | "Protocol" : { 205 | "type" : "keyword" 206 | }, 207 | "SrcLocation" : { 208 | "type" : "keyword" 209 | }, 210 | "UserName" : { 211 | "type" : "keyword" 212 | }, 213 | "src" : { 214 | "type" : "keyword" 215 | }, 216 | "Reference" : { 217 | "type" : "keyword" 218 | }, 219 | "UserInput" : { 220 | "type" : "keyword" 221 | }, 222 | "Host" : { 223 | "type" : "keyword" 224 | }, 225 | "Severity" : { 226 | "type" : "keyword" 227 | }, 228 | "message" : { 229 | "type" : "text" 230 | }, 231 | "SignName" : { 232 | "type" : "keyword" 233 | }, 234 | "ExitIf" : { 235 | "type" : "keyword" 236 | }, 237 | "Type" : { 238 | "type" : "keyword" 239 | }, 240 | "@timestamp" : { 241 | "type" : "date" 242 | }, 243 | "vpn" : { 244 | "type" : "keyword" 245 | }, 246 | "Command" : { 247 | "type" : "keyword" 248 | }, 249 | "FileType" : { 250 | "type" : "keyword" 251 | }, 252 | "Alias" : { 253 | "type" : "keyword" 254 | }, 255 | "Times" : { 256 | "type" : "keyword" 257 | }, 258 | "VirusName" : { 259 | "type" : "keyword" 260 | }, 261 | "Metric" : { 262 | "type" : "keyword" 263 | }, 264 | "user" : { 265 | "type" : "keyword" 266 | } 267 | } 268 | }, 269 | "aliases" : { } 270 | } 271 | } 272 | -------------------------------------------------------------------------------- /pattern/huawei: -------------------------------------------------------------------------------- 1 | ### FireWall USG6300 V500R005C10 2 | ##### HUAWEI 3 | #<190>Oct 16 2019 08:40:44 USG6300-01 %%01SHELL/6/DISPLAY_CMDRECORD(s)[316]: 4 | #<190> USG6300-01 %%01SHELL/6/DISPLAY_CMDRECORD(s): 5 | #<164> AR2200 LINE/4/USERLOGOUT: 6 | #HUAWEI \<%{NUMBER}\>(%{CISCOTIMESTAMP}|) %{HOSTNAME:Hostname} (\%%%{NUMBER}|)%{DATA:ModuleName}\/%{NUMBER:Serverity}\/%{DATA:Brief}(\((l|s)\)|)(\[%{NUMBER}\]|): 7 | #HUAWEI \<%{NUMBER}\>(%{CISCOTIMESTAMP}|) %{HOSTNAME:Hostname} (\%%%{NUMBER}|)%{DATA:ModuleName}\/%{NUMBER:Serverity}\/%{DATA:Brief}(\((l|s)\)|)(\[%{NUMBER}\]|):(CID=%{NOTSPACE};|) 8 | HUAWEI \<%{NUMBER}\>(%{CISCOTIMESTAMP}|) (%{HOSTNAME:Hostname}| %{HOSTNAME:Hostname}) (\%%%{NUMBER}|)%{DATA:ModuleName}\/%{NUMBER:Serverity}\/%{DATA:Brief}(\((l|s)\)|)(\[%{NUMBER}\]|):(CID=%{NOTSPACE};|) 9 | #### SHELL 10 | #SHELL/5/CMDRECORD 11 | CMDRECORD (%{HUAWEI}(%{SPACE}%{CISCO_REASON:Description}|%{CISCO_REASON:Description}). \(Task=%{NOTSPACE:Task}, Ip=%{NOTSPACE:IP}, VpnName=, User=%{NOTSPACE:User}, AuthenticationMethod="%{NOTSPACE:AuthenticationMethod}", Command="%{GREEDYDATA:Command}"\)|%{HUAWEI} task=%{NOTSPACE:Task}, ip=%{IP:IP}, user=%{USER:User}, usertype=%{NOTSPACE:UserType}, vsys=%{NOTSPACE}, command=%{GREEDYDATA:Command}, result=%{NOTSPACE}.|%{HUAWEI}%{CISCO_REASON:Description}. \(Task=%{DATA:Task}, Ip=%{NOTSPACE:IP}, User=%{USER:User}, Command="%{GREEDYDATA:Command}", Result=%{DATA:Result}\)|%{HUAWEI}%{CISCO_REASON:Description}. \(Task=%{DATA:Task}, Ip=%{IP:IP}, User=%{USER:User}, Command="%{GREEDYDATA:Command}".\)%{GREEDYDATA}) 12 | 13 | #SHELL/6/CMDCONFIRM_NOPROMPT 14 | CMDCONFIRM_NOPROMPT %{HUAWEI}%{CISCO_REASON:Description}. \(Task=%{DATA:Task}, IP=%{NOTSPACE:IP}, VpnName=, User=%{USER:User}, Command="%{DATA:Command}", UserInput=%{GREEDYDATA:UserInput}\) 15 | 16 | #SHELL/6/CMDCONFIRM_RECORD 17 | CMDCONFIRM_RECORD %{HUAWEI}%{CISCO_REASON:Description} "%{GREEDYDATA:Command}", %{GREEDYDATA}.\(Task=%{NOTSPACE:Task}, IP=%{NOTSPACE:IP}, VpnName=, User=%{USER:User}\) 18 | 19 | #SHELL/6/CMDCONFIRM_UNIFORMRECORD 20 | CMDCONFIRM_UNIFORMRECORD %{HUAWEI}%{CISCO_REASON:Description}. \(Task=%{NOTSPACE}, IP=%{NOTSPACE}, VpnName=, User=%{USER:User}, Command="%{GREEDYDATA:Command}", PromptInfo="%{GREEDYDATA:PromptInfo}", UserInput=%{GREEDYDATA:UserInput}\) 21 | 22 | #SHELL/6/DISPLAY_CMDRECORD 23 | DISPLAY_CMDRECORD (%{HUAWEI}(%{SPACE}%{CISCO_REASON:Description}|%{CISCO_REASON:Description}). \(Task=%{NOTSPACE:Task}, Ip=%{NOTSPACE:IP}, VpnName=, User=%{NOTSPACE:User}, AuthenticationMethod="%{NOTSPACE}", Command="%{GREEDYDATA:Command}"\)|%{HUAWEI} task:%{NOTSPACE:Task} ip:%{IP:IP} user:%{USER:User} usertype:%{WORD} vsys:%{WORD} command:%{CISCO_REASON:Command}.) 24 | 25 | #SHELL/4/LOGINFAILED 26 | LOGINFAILED %{HUAWEI} access type:%{DATA:AccessType} User %{USER:User} %{CISCO_REASON:Description} from %{NOTSPACE:IP}\(times=%{NOTSPACE:Times}\).|%{HUAWEI}Failed to login. \(Ip=%{NOTSPACE:IP}, UserName=%{DATA:UserName}, Times=%{DATA:Times}, AccessType=%{DATA:AccessType}, VpnName=\) 27 | 28 | #SHELL/5/LOGIN & SHELL/4/LOGIN 29 | LOGIN (%{HUAWEI}%{CISCO_REASON:Description}. \(UserType=%{NOTSPACE:UserType}, UserName=%{NOTSPACE:UserName}, AuthenticationMethod="%{NOTSPACE:AuthenticationMethod}", Ip=%{NOTSPACE:IP}, VpnName=\)|%{HUAWEI} access type:%{NOTSPACE:UserType} vsys:%{NOTSPACE} user:%{NOTSPACE:UserName} login from %{NOTSPACE:IP}|%{HUAWEI}%{CISCO_REASON:Description}. \(UserType=%{DATA:UserType}, UserName=%{USER:User}, Ip=%{IP:IP}, VpnName=%{NOTSPACE}\)%{GREEDYDATA}) 30 | 31 | #SHELL/5/LOGOUT & SHELL/4/LOGOUT 32 | LOGOUT (%{HUAWEI}%{CISCO_REASON:Description}. \(UserType=%{NOTSPACE:UserType}, UserName=%{USER:User}, Ip=%{NOTSPACE:IP}, VpnName=\)|%{HUAWEI} access type:%{NOTSPACE:UserType} vsys:%{NOTSPACE} user:%{USER:User} %{GREEDYDATA:msg}|%{HUAWEI}%{CISCO_REASON:Description}. \(UserType=%{DATA:UserType}, UserName=%{USER:User}, Ip=%{IP:IP}, VpnName=%{NOTSPACE}, Reason=%{GREEDYDATA:Reason}\)%{GREEDYDATA}) 33 | 34 | #### SSH 35 | #SSH/4/SSH_FAIL 36 | SSH_FAIL (%{HUAWEI}%{CISCO_REASON:Description}. \(IP=%{NOTSPACE:IP}, VpnInstanceName=%{GREEDYDATA}, UserName=%{USER:UserName}, Times=%{DATA:Times}, FailedReason=%{GREEDYDATA:FailedReason}\)|%{HUAWEI} %{CISCO_REASON:Description}. \(Ip=%{IP:IP}, UserName=%{USER:UserName}, Times=%{DATA:Times}\)|%{HUAWEI}%{CISCO_REASON:Description}. \(Ip=%{IP:IP}, UserName=%{USER:UserName}, Times=%{DATA:Times}\)) 37 | 38 | #SSH/5/SSH_USER_LOGIN (CloudEngine 12800) 39 | SSH_USER_LOGIN %{HUAWEI}%{CISCO_REASON:Description}. \(ServiceType=%{DATA:UserType}, UserName=%{USER:User}, IPAddress=%{IP:IP}, VPNInstanceName=%{NOTSPACE}\) 40 | 41 | #SSH/5/SSH_USER_LOGOUT (CloudEngine 12800) 42 | SSH_USER_LOGOUT %{HUAWEI}%{CISCO_REASON:Description}. \(ServiceType=%{DATA:UserType}, LogoutReason=%{GREEDYDATA:LogoutReason}, UserName=%{USER:User}, IPAddress=%{IP:IP}, VPNInstanceName=%{NOTSPACE}\)%{GREEDYDATA} 43 | 44 | #SSH_USER_LOGIN_FAIL (CloudEngine 12800) 45 | SSH_USER_LOGIN_FAIL %{HUAWEI}%{CISCO_REASON:Description}. \(ServiceType=%{DATA:UserType}, FailedReason=%{CISCO_REASON:FailedReason}, UserName=%{USER:User}, IPAddress=%{IP:IP}, VPNInstanceName=%{NOTSPACE}\)\r\n 46 | HUAWEI_CE_LOGIN_FAILED_SSH %{HUAWEI}%{WORD}%{TEST2}%{WORD:cid};%{CISCO_REASON:info}. %{TEST}%{WORD}%{TEST2}%{CISCO_REASON:user.service_type}, %{WORD}%{TEST2}%{CISCO_REASON:user.failed_reason}, %{WORD}%{TEST2}%{USER:user.user}, %{WORD}%{TEST2}%{IP:user.ip}, %{WORD}%{TEST2}%{CISCO_REASON:user.vpn_instance_name}.%{TEST} 47 | ### WEB 48 | #HTTPD/4/FAIL & HTTPD/6/PASS & HTTPD/5/OUT 49 | #WEB (%{HUAWEI}User %{USER:User}\(IP:%{IP:IP} %{NOTSPACE}\) %{CISCO_REASON:Description}|%{HUAWEI} User %{USER:User}\(IP:%{IP:IP} %{NOTSPACE}\) %{CISCO_REASON:Description}) 50 | WEB (%{HUAWEI}User %{USER:User}\(IP:%{IP:IP} %{NOTSPACE}\) %{CISCO_REASON:Description}|%{HUAWEI} User %{USER:User}\(IP:%{IP:IP} %{NOTSPACE}\) %{CISCO_REASON:Description}|%{HUAWEI}%{CISCO_REASON:Description}. \(UserName=%{GREEDYDATA:User}, IPAddress=%{IP:IP}, VpnName=%{GREEDYDATA}\)) 51 | 52 | 53 | ### Traffick Logs Paket deny 54 | #<188>2019-10-18 02:29:13 USG6000V1 %%01SECLOG/4/PACKET_DENY(l):IPVer=4,Protocol=icmp,SourceIP=10.1.1.2,DestinationIP=192.168.137.1,SourcePort=8,DestinationPort=0,BeginTime=1571365753,EndTime=1571365753,SourceVpnID=0,DestinationVpnID=0,SourceZone=trust,DestinationZone=untrust,PolicyName=clinet_to_router,CloseReason=policy-deny. 55 | PACKET_DENY %{HUAWEI}IPVer=%{DATA},Protocol=%{DATA:Protocol},SourceIP=%{DATA:SourceIP},DestinationIP=%{NOTSPACE:DestinationIP},SourcePort=%{NOTSPACE:SourcePort},DestinationPort=%{NOTSPACE:DestinationPort},BeginTime=%{NOTSPACE},EndTime=%{NOTSPACE},SourceVpnID=%{NOTSPACE},DestinationVpnID=%{NOTSPACE},SourceZone=%{NOTSPACE:SourceZone},DestinationZone=%{NOTSPACE:DestinationZone},PolicyName=%{NOTSPACE:PolicyName},CloseReason=%{NOTSPACE:CloseReason}. 56 | 57 | ### VPN 58 | # <190>Oct 18 2019 06:35:11 USG6000V1 %%01USERS/6/LOGINSUC(l)[1548]:id=USG6000V1-ENSP time="2019-10-18 06:35:08" fw=USG6000V1 pri=6 vsys=public vpn=testing user="testing" src=192.168.137.57 dst=0.0.0.0 duration=0s rcvd=0byte(s) sent=0byte(s) type=vpn service=5 msg="Session: testing successed to login." 59 | LOGINSUC (%{HUAWEI} id=%{NOTSPACE}|%{HUAWEI}id=%{NOTSPACE}) time="%{DATA}" fw=%{DATA} pri=%{NOTSPACE} vsys=%{NOTSPACE} vpn=%{DATA:vpn} user="%{USER:user}" src=%{NOTSPACE:src} dst=%{NOTSPACE:dst} duration=%{NOTSPACE:duration}s rcvd=%{NOTSPACE:rcvd}byte\(s\) sent=%{NOTSPACE:sent}byte\(s\) type=%{NOTSPACE} service=%{NOTSPACE} msg="%{GREEDYDATA:Description}." 60 | 61 | 62 | #### Add BACKLIST 63 | #<188>Oct 18 2019 07:42:30 USG6000V1 %%01BLACKLIST/4/ADDOK(l): A blacklist entry was added. (SyslogId=100, IpVersion=IPv4, SrcIp=193.168.3.1, DstIp=any, SrcPort=any, DstPort=any, Protocol=any, User=any, VSysId=0, VSys=root, Reason= IPS Attack , Timeout=5 min) 64 | ADDOK (%{HUAWEI}%{CISCO_REASON:Description}|%{HUAWEI} %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE:SyslogId}, IpVersion=%{NOTSPACE:IpVersion}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, Protocol=%{NOTSPACE:Protocol}, User=%{NOTSPACE:User}, VSysId=%{NOTSPACE}, VSys=%{NOTSPACE}, Reason= %{GREEDYDATA:Reason}, Timeout=%{GREEDYDATA:Timeout}min\) 65 | 66 | 67 | ### Remove BACKLIST 68 | #<188>Oct 18 2019 08:36:36 USG6000V1 %%01BLACKLIST/4/DELOK(l)[2134]:A blacklist entry was deleted. (SyslogId=100, IpVersion=IPv4, SrcIp=1.1.1.1, DstIp=any, SrcPort=any, DstPort=any,Protocol=any, User=any, VSysId=0, VSys=public) 69 | DELOK (%{HUAWEI}%{CISCO_REASON:Description}|%{HUAWEI} %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE:SyslogId}, IpVersion=%{NOTSPACE:IpVersion}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort},Protocol=%{NOTSPACE:Protocol}, User=%{NOTSPACE:User}, VSysId=%{NOTSPACE}, VSys=%{NOTSPACE}\) 70 | 71 | 72 | ### Clear all backlist 73 | #<188>Oct 18 2019 08:39:01 USG6000V1 %%01BLACKLIST/4/DELALLOK(l)[2158]:All blacklist entries were deleted. (SyslogId=100, VSysId=0, VSys=public) 74 | DELALLOK %{HUAWEI}%{CISCO_REASON:Description}. \(SyslogId=%{NOTSPACE:SyslogId}, VSysId=%{NOTSPACE}, VSys=%{NOTSPACE}\) 75 | 76 | 77 | ####IPS DETECT 78 | ###<188>Oct 18 2019 09:47:43 USG6600-DMZ-02 %%01IPS/4/DETECT(l): Intrusion was detected. (SyslogId=3878486016, VSys="root", Policy="InternetLanToServer", SrcIp=10.8.8.11, DstIp=10.50.50.5, SrcPort=50396, DstPort=53, SrcZone=lan, DstZone=dmz, User="unknown", Protocol=UDP, Application="DNS", Profile="ips block all", SignName="Dns request for Bitcoin mining pool detected", SignId=505470, EventNum=1, Target=server, Severity=medium, Os=both, Category=Other, Action=Block) 79 | 80 | DETECT %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys="%{NOTSPACE}", Policy="%{GREEDYDATA:Policy}", SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User="%{NOTSPACE}", Protocol=%{NOTSPACE:Protocol}, Application="%{NOTSPACE:Application}", Profile="%{DATA:Profile}", SignName="%{DATA:SignName}", SignId=%{DATA:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, (Reference=%{NOTSPACE:Reference}, |)Action=%{NOTSPACE:Action}\) 81 | 82 | #### IPS BONET 83 | ### <190> USG6300-01 %%01IPS/4/BOTNET(l): A botnet was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=tets, SrcIp=[source-ip], DstIp=[destination-ip], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name], Profile=[profile-name], SignName=[signature-name], SignId=[signature-id], EventNum=[event-number], Target=[target], Severity=[severity], Os=[operating-system], Category=[category], Role=[role], SrcLocation=[source-location], DstLocation=[destination-location], Action=[action]) 84 | 85 | BOTNET %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy=%{NOTSPACE:Policy}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE:User}, Protocol=%{NOTSPACE:Protocol}, Application=%{NOTSPACE:Application}, Profile=%{NOTSPACE:Profile}, SignName=%{NOTSPACE:SignName}, SignId=%{NOTSPACE:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, Role=%{NOTSPACE:Role}, SrcLocation=%{NOTSPACE:SrcLocation}, DstLocation=%{NOTSPACE:DstLocation}, Action=%{DATA:Action}\) 86 | 87 | ### IPS CNC 88 | #<190> USG6300-01 %%01IPS/4/CNC(l): A malware domain was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip-address], DstIp=[destination-ip-address], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name],Profile=[profile-name],DomainName=[domain-name], EventNum=[event-number], Action=[action]) 89 | 90 | CNC %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy=%{GREEDYDATA:Policy}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE}, Protocol=%{NOTSPACE:Protocol}, Application=%{NOTSPACE:Application},Profile=%{DATA:Profile},DomainName=%{NOTSPACE:DomainName}, EventNum=%{NOTSPACE:EventNum}, Action=%{NOTSPACE:Action}\) 91 | 92 | 93 | ### IPS EXCEPTION 94 | #<190> USG6300-01 %%01IPS/4/EXCEPTION(l): The packet matched an exception IPS signature. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip], DstIp=[destination-ip], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name], Profile=[profile-name], SignName=[signature-name], SignId=[signature-id], EventNum=[event-number], Target=[target], Severity=[severity], Os=[operating-system], Category=[category], Action=[action]) 95 | 96 | EXCEPTION %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy=%{GREEDYDATA:Policy}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE}, Protocol=%{NOTSPACE:Protocol}, Application=%{NOTSPACE:Application}, Profile=%{DATA:Profile}, SignName=%{DATA:SignName}, SignId=%{DATA:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, Action=%{NOTSPACE:Action}\) 97 | 98 | ### IPS TROJAN 99 | #<190> USG6300-01 %%01IPS/4/TROJAN(l): A trojan horse was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip], DstIp=[destination-ip], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name], Profile=[profile-name], SignName=[signature-name], SignId=[signature-id], EventNum=[event-number], Target=[target], Severity=[severity], Os=[operating-system], Category=[category], Role=[role], SrcLocation=[source-location], DstLocation=[destination-location], Action=[action]) 100 | 101 | #TROJAN %{HUAWEI} %{CISCO_REASON:Description}. \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy=%{NOTSPACE:Policy}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE:User}, Protocol=%{NOTSPACE:Protocol}, Application=%{NOTSPACE:Application}, Profile=%{NOTSPACE:Profile}, SignName=%{NOTSPACE:SignName}, SignId=%{NOTSPACE:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, Role=%{NOTSPACE:Role}, SrcLocation=%{NOTSPACE:SrcLocation}, DstLocation=%{NOTSPACE:DstLocation}, Action=%{DATA:Action}\) 102 | 103 | TROJAN %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy="%{NOTSPACE:Policy}", SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE}, Protocol=%{NOTSPACE:Protocol}, Application="%{NOTSPACE:Application}", Profile="%{CISCO_REASON:Profile}", SignName="%{GREEDYDATA:SignName}", SignId=%{NOTSPACE:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, Role=%{NOTSPACE:Role}, SrcLocation=%{NOTSPACE:SrcLocation}, DstLocation=%{NOTSPACE:DstLocation}, Action=%{DATA:Action}\) 104 | 105 | ### IPS WORM 106 | ## <190> USG6300-01 %%01IPS/4/WORM(l): A worm was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip], DstIp=[destination-ip], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name], Profile=[profile-name], SignName=[signature-name], SignId=[signature-id], EventNum=[event-number], Target=[target], Severity=[severity], Os=[operating-system], Category=[category], Action=[action]) 107 | 108 | WORM %{HUAWEI}(%{CISCO_REASON:Description}| %{CISCO_REASON:Description}). \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy=%{NOTSPACE:Policy}, SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE:User}, Protocol=%{NOTSPACE:Protocol}, Application=%{NOTSPACE:Application}, Profile=%{NOTSPACE:Profile}, SignName=%{NOTSPACE:SignName}, SignId=%{NOTSPACE:SignId}, EventNum=%{NOTSPACE}, Target=%{NOTSPACE:Target}, Severity=%{NOTSPACE:Severity}, Os=%{NOTSPACE:Os}, Category=%{NOTSPACE:Category}, Action=%{NOTSPACE:Action}\) 109 | 110 | #BGP/3/STATE_CHG_UPDOWN (AR2200) 111 | STATE_CHG_UPDOWN %{HUAWEI}%{CISCO_REASON:Description} %{IP:Peer} changed from %{NOTSPACE:StatusFrom} to %{NOTSPACE:StatusTo}. \(InstanceName=%{DATA:InstanceName}, StateChangeReason=%{GREEDYDATA:StateChangeReason}\) 112 | 113 | #RM/4/IPV4_DEFT_RT_CHG (AR2200) 114 | IPV4_DEFT_RT_CHG %{HUAWEI}%{CISCO_REASON:Description}. \(ChangeType=%{DATA:ChangeType}, InstanceId=%{NUMBER:InstanceId}, Protocol=%{NOTSPACE:Protocol}, ExitIf=%{NOTSPACE:ExitIf}, Nexthop=%{IPV4:Nexthop}, Neighbour=%{IP:Neighbour}, Preference=%{NUMBER:Preference}, Label=%{NOTSPACE:Label}, Metric=%{NUMBER:Metric}\) 115 | 116 | #### Anti Virus 117 | ##<188>Jan 23 2020 01:52:32 USG6300-01 %%01AV/4/VIRUS(l):A virus was detected. (SyslogId=691, VSys="public", Policy="test", SrcIp=192.168.0.1, DstIp=192.168.11.1, SrcPort=80, DstPort=59996, SrcZone=untrust, DstZone=trust, User="unknown", Protocol=TCP, Application="HTTP_Download", Profile="default", EventNum=1, SignatureId=72216610, VirusName="Trojan.Win32.Agent.2115242", DetectionType="virus detect", Direction=download, FileName="attachment", FileType="exe", Action=Block, Hash="B63B6E6E69477A1D") 118 | 119 | AV %{HUAWEI}%{CISCO_REASON:Description}. \(SyslogId=%{NOTSPACE}, VSys=%{NOTSPACE}, Policy="%{NOTSPACE:Policy}", SrcIp=%{NOTSPACE:SrcIp}, DstIp=%{NOTSPACE:DstIp}, SrcPort=%{NOTSPACE:SrcPort}, DstPort=%{NOTSPACE:DstPort}, SrcZone=%{NOTSPACE:SrcZone}, DstZone=%{NOTSPACE:DstZone}, User=%{NOTSPACE}, Protocol=%{NOTSPACE:Protocol}, Application="%{NOTSPACE:Application}", Profile="%{CISCO_REASON:Profile}", EventNum=%{NOTSPACE}, SignatureId=%{NOTSPACE:SignId}, VirusName="%{GREEDYDATA:VirusName}", DetectionType="%{GREEDYDATA:DetectionType}", Direction=%{GREEDYDATA:Direction}, FileName="%{GREEDYDATA:FileName}", FileType="%{GREEDYDATA:FileType}", Action=%{NOTSPACE:Action}, Hash="%{GREEDYDATA:Hash}"\) 120 | 121 | ##%%01POLICY/6/POLICYDENY (USG6300) 122 | POLICYDENY %{HUAWEI}vsys=%{NOTSPACE}, protocol=%{NOTSPACE:Protocol}, source-ip=%{NOTSPACE:SrcIp}, source-port=%{NUMBER:SrcPort}, destination-ip=%{NOTSPACE:DstIp}, destination-port=%{NUMBER:DstPort}, time=%{GREEDYDATA}, source-zone=%{DATA:SrcZone}, destination-zone=%{DATA:DstZone}, application-name=%{GREEDYDATA:Application}, rule-name=%{NOTSPACE:Policy}\. 123 | --------------------------------------------------------------------------------