Hey guys,
Trying to format a custom log source from file.
It is failed to get picked up by the sample logs, and fails due to inability to find the date.
I am looking for the time field that I have highlighted, but all my attempts to create the custom field are note recognized. How might I format this?
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
I am trying to forward specific events to Site24 so I Can create a simple dashboard. In this case, it is several Sonicwall firewalls.
Thanks!
Dear Dennis,
Please use the below sample logs and log pattern to create a log type.
Sample Logs
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
Log Pattern
id=$DeviceId$ sn=$SerialNumber$ time="$Time:date$" fw=$FirewallWANIP$ pri=$Priority$ c=$MessageCategory:number$ m=$MessageId:number$ msg="$Message$" sid=$SignatureID$ appcat="$AppCategory$" appid=$AppId$ catid=$CategoryId:number$ n=$MessageCount:number$ src=$SourceIP$ dst=$DestinationIP$ srcMac=$SourceMac$ dstMac=$DestinationMac$ proto=$Protocol$ fw_action="$ForwardAction$"
The above log pattern will work only when the order of the fields is the same as that in the actual log file. If the order of fields is different or if any new fields come in between, then this pattern will not match those log lines.
In this case, please contact [email protected] with the sample logs for further assistance.
Please refer to the below help link to define the log pattern for any custom logs
https://www.site24x7.com/help/log-management/add-log-type.html#custom-format
Regards,
Magesh Rajan