Go to All Forums

Custom Log Format

Hey guys,

Trying to format a custom log source from file.

It is failed to get picked up by the sample logs, and fails due to inability to find the date.

I am looking for the time field that I have highlighted, but all my attempts to create the custom field are note recognized. How might I format this?

id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"

I am trying to forward specific events to Site24 so I Can create a simple dashboard. In this case, it is several Sonicwall firewalls.

 

Thanks!

 

 

Attachments
logtype.JPG
Size: 79.37 KB
Like (2) Reply
Replies (2)

Dear Dennis,

                   Please use the below sample logs and log pattern to create a log type.

Sample Logs

id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"
id=DEVICEREMOVED sn=SERIALREMOVED time="2021-04-21 20:05:05" fw=192.168.0.119 pri=1 c=0 m=1154 msg="Application Control Detection Alert: PROTOCOLS SSH Protocol -- Client Request Outbound" sid=10097 appcat="PROTOCOLS SSH Protocol -- Client Request Outbound" appid=129 catid=74 n=15698 src=X.X.X.X:52689:X3 dst=X.X.X.X:22:X0 srcMac=MACREDMOVED dstMac=MACREDMOVED proto=tcp/22 fw_action="NA"

Log Pattern

id=$DeviceId$ sn=$SerialNumber$ time="$Time:date$" fw=$FirewallWANIP$ pri=$Priority$ c=$MessageCategory:number$ m=$MessageId:number$ msg="$Message$" sid=$SignatureID$ appcat="$AppCategory$" appid=$AppId$ catid=$CategoryId:number$ n=$MessageCount:number$ src=$SourceIP$ dst=$DestinationIP$ srcMac=$SourceMac$ dstMac=$DestinationMac$ proto=$Protocol$ fw_action="$ForwardAction$"

The above log pattern will work only when the order of the fields is the same as that in the actual log file. If the order of fields is different or if any new fields come in between, then this pattern will not match those log lines.

In this case, please contact support@site24x7.com with the sample logs for further assistance.

Please refer to the below help link to define the log pattern for any custom logs
https://www.site24x7.com/help/log-management/add-log-type.html#custom-format

 

Regards,

Magesh Rajan

Like (0) Reply

Hi Magesh,
 
Thank you very much.
 
The example makes much more sense now that I see it. I was having trouble getting a good understanding through the documentation.
 
If it does change, with this template, I feel as if I can update it as needed.
Like (0) Reply
Was this post helpful?

Statistics

2 Replies
6300 Views
0 Followers

Tags