charon-ipsec-logs Configuration

« charon-ipsec-logs »
v0.1 by darkclip
Log parser

Parse Charon IPsec logs

Installation

cscli parsers install darkclip/charon-ipsec-logs

Description

Parser for Charon IPsec authentication fail.

YAML Configuration

1name: darkclip/charon-ipsec-logs
2#debug: true
3filter: "evt.Parsed.program == 'charon'"
4description: Parse Charon IPsec logs
5onsuccess: next_stage
6pattern_syntax:
7  IPSEC_ID: '<%{DATA}\|%{NUMBER}>'
8nodes:
9  - grok:
10      pattern: '^%{NUMBER:thread}\[%{WORD:subsys}\] %{IPSEC_ID:ipsec_id}.*verification.*failed.*'
11      apply_on: message
12    stash:
13      - name: charon_ipsec_logs
14        key: evt.Parsed.thread
15        value: evt.Parsed.ipsec_id
16        ttl: 5s
17        size: 10
18  - grok:
19      pattern: '^%{NUMBER:thread}\[%{WORD:subsys}\] %{IPSEC_ID:ipsec_id}.*authentication.*failed.*'
20      apply_on: message
21    stash:
22      - name: charon_ipsec_logs
23        key: evt.Parsed.thread
24        value: evt.Parsed.ipsec_id
25        ttl: 5s
26        size: 10
27  - grok:
28      pattern: '^%{NUMBER:thread}\[%{WORD:subsys}\] %{IPSEC_ID:ipsec_id} sending packet\: from %{IP:target_ip}\[%{NUMBER:target_port}\] to %{IP:source_ip}\[%{NUMBER:source_port}\].*'
29      apply_on: message
30    nodes:
31      - filter: "GetFromStash('charon_ipsec_logs', evt.Parsed.thread) != '' && GetFromStash('charon_ipsec_logs', evt.Parsed.thread) == evt.Parsed.ipsec_id"
32        statics:
33          - meta: log_type
34            value: charon_ipsec_auth_fail
35          - meta: source_ip
36            expression: evt.Parsed.source_ip
37
38statics:
39  - meta: service
40    value: charon_ipsec
41

Hub configuration

« charon-ipsec-logs »v0.1 by darkclipLog parser

« charon-ipsec-logs »
v0.1 by darkclip
Log parser