cscli parsers install aderumier/proxmox-iptables-logsA parser for proxmox iptables format -j NFLOG --nflog-prefix '$vmid:$loglevel:$chain: $msg':
-IN=, specific to proxmox (-IN)ACCEPT or PVEFW-SET-ACCEPT-MARK1onsuccess: next_stage2filter: "evt.Parsed.message contains 'PVEFW-reject' or evt.Parsed.message contains 'DROP' or evt.Parsed.message contains 'REJECT'"3debug: false4name: aderumier/proxmox-iptables-logs5description: "Parse proxmox iptables drop logs"6grok:7 pattern: "^%{NOTSPACE:vmid} %{NOTSPACE:loglevel} %{NOTSPACE:int_eth}-IN %{HTTPDATE:logdate} (policy )?%{NOTSPACE:action}:( IN=%{DATA:iface})?( OUT=%{DATA:oface})?( PHYSIN=%{DATA:physin})?( PHYSOUT=%{DATA:physout})?( MAC=%{MAC:dst_mac}:%{MAC}%{NOTSPACE})? SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{INT:data_length}( TOS=0x%{BASE16NUM:tos})?( PREC=0x%{BASE16NUM:prec})?( TC=%{INT})?( FLOWLBL=%{INT})?( HOPLIMIT=%{INT:ttl})?( TTL=%{INT:ttl})?( ID=%{INT:id})?( %{WORD})? PROTO=%{NOTSPACE:proto}( SPT=%{INT:src_port})?( DPT=%{INT:dst_port})?( LEN=%{INT:data_length})?( SEQ=%{INT})?( ACK=%{INT:ack})?( WINDOW=%{INT})?( %{WORD:tcp_flags})?"8 apply_on: message9statics:10 - meta: service11 value: tcp12 - meta: log_type13 value: iptables_drop14 - meta: source_ip15 expression: "evt.Parsed.src_ip"16