Logstash Parser for Firepower

[rbryant-taxslayer]

Alan,

I'm trying to set up a logstash parser for Firepower Connection Events and they seem to not match the grok filtering in https://github.com/TheAlanNix/cisco-security-tools/blob/master/FirepowerLogstash/FirepowerLogstash.conf.

I understand this file is just a starting point and I was just curious if you had any good resources that you used to build this logstash config file? Assuming I can get to a properly parsing logstash config for these Firepower events, I'll send it over for you to review.

Thank you!
Ricky

[TheAlanNix]

Hey Ricky,

When I was building the Grok match string, I used the following debugger: https://grokdebug.herokuapp.com/

You can plug in some sample logs, and then the match pattern you want to test, and it will show you how it breaks down.

The format for the Firepower syslog events typically varies slightly between versions, but I had updated the sample config back in the fall when 6.5 released - albeit, only tested in my lab. I haven't yet updated it for Firepower 6.6.

If you feel comfortable sharing some of the logs that aren't parsing, I'd be happy to take a look at them as well.