-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcheckpoint-fw.conf
executable file
·46 lines (46 loc) · 1.16 KB
/
checkpoint-fw.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
input {
file {
type => "checkpoint-firewall"
start_position => "beginning"
path => "/Checkpoint/*.txt"
}
}
filter {
if ([message] =~ /^#/) {
drop { }
}
if [type] == "checkpoint-firewall" {
csv {
columns => ["number","date","time","interface","orgin","fw-type","action","service","s-port","s-ip","d-ip","proto","rule","rule-name","rule-number","user","information","product","src-machine","src-user"]
separator => " "
remove_field => [ "message" ]
remove_field => [ "rule" ]
remove_field => [ "rule-name" ]
remove_field => [ "rule-number" ]
remove_field => [ "user" ]
remove_field => [ "product" ]
remove_field => [ "number" ]
remove_field => [ "interface" ]
remove_field => [ "src-machine" ]
remove_field => [ "src-user" ]
}
mutate {
replace => [ "date", "%{date} %{time}" ]
remove_field => [ "time" ]
}
date {
match => [ "date", "ddMMMYYYY HH:mm:ss" ]
target => [ "datetime"]
remove_field => [ "date" ]
}
geoip {
source => "s-ip"
}
}
}
output {
elasticsearch {
embedded => true
index => "checkpointlogs"
}
}