How to use drop in parser

So I have a problem

This is a sample log which I want to be dropped. So if the [message] contains

<13>Feb 8 17:53:21 10.45.1.9 CEF:0|ArcSight|ArcSight|8.4.3.9181.0|agent:045|File processing ended: Success|Low| eventId=72362662 start=1739017401162 end=1739017401162 mrt=1739017401162

so if the [message] contains agent:045 or agent:044, I want the whole log to be dropped.
How can I do this?

This is my parser :

filter {
    mutate {
        replace => {
            "src" => ""
            "dhost" => ""
            "src_present" => "false"
            "dhost_present" => "false"
            "status" => ""
            "event.idm.read_only_udm.metadata.vendor_name" => "Indusface"
            "event.idm.read_only_udm.metadata.product_name" => "WAF"
            "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }

    grok {
        match => {
            "message" => ["CEF:%{GREEDYDATA}src=%{IP:src}"]
        }
        overwrite => ["src"]
        on_error => "src_extraction_failed"
    }

    grok {
        match => {
            "message" => ["cs4=%{HOSTNAME:dhost}"]
        }
        overwrite => ["dhost"]
        on_error => "dhost_extraction_failed"
    }

    if [src] not in ["", "null", "None"] {
        mutate {
            replace => {
                "src_present" => "true"
            }
        }

        mutate {
            merge => {
                "event.idm.read_only_udm.principal.ip" => "src"
            }
            on_error => "principal_ip_not_set"
        }
    }

    if [dhost] not in ["", "null", "None"] {
        mutate {
            replace => {
                "dhost_present" => "true"
            }
        }

        mutate {
            replace => {
                "event.idm.read_only_udm.target.hostname" => "%{dhost}"
            }
            on_error => "destinationHost_label_empty"
        }
    }

    if [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT" {
        if [src_present] != "false" and[dhost_present] != "false" {
            mutate {
                replace => {
                    "event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
                }
            }
        }
    }

    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

can anyone help?
@bsalvatore ?

Page 1 / 1

There are many changes, I suspect, you should make to the conf file. First you should parse the CEF variables in the grok. Please take a look at this modified version and make necessary changes. I left statedump so you can see the variable values to debug and should be removed before submitting to prod.

filter {

    mutate { 

        replace => {

            "src" => ""

            "device_event_class_id" => ""

            "dhost" => ""

            "src_present" => "false"

            "dhost_present" => "false"

            "status" => ""

            "event.idm.read_only_udm.metadata.vendor_name" => "Indusface"

            "event.idm.read_only_udm.metadata.product_name" => "WAF"

            "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"

        }   

    }   

    

    grok {

        match => { 

          "message" => [

      "<%{INT}>%{SYSLOGTIMESTAMP:ts} %{DATA} CEF: %{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|%{DATA:event_name}\\\\|%{INT:severity}\\\\|%{GREEDYDATA:cef_extension}"

      "(?:<%{INT}>|%{DATA:temp_data})CEF:%{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|(?:%{DATA:event_name}\\\\||)(?P<severity>Medium|MEDIUM|Low|LOW|HIGH|High|Unknown|Very-High|%{INT})(?:\\\\||)%{GREEDYDATA:cef_extension}",

      "CEF: %{TIMESTAMP_ISO8601:timestamp} \\\\| %{GREEDYDATA:kv_data}"

      "(?:<%{INT}>|%{DATA})CEF %{DATA} %{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|(?:%{DATA:event_name}\\\\||)(?P<severity>Medium|MEDIUM|Low|LOW|HIGH|High|Unknown|%{INT})(?:\\\\||)%{GREEDYDATA:cef_extension}"

      "CEF:%{GREEDYDATA}src=%{IP:src}"

          ] 

        }

        overwrite => ["src","version","device_event_class_id", "event_name","severity", "temp_data","timestamp","kv_data","device_version","cef_extension","device_vendor","device_product"]

        on_error => "src_extraction_failed"

    }   

            

    statedump{} 

    if [device_event_class_id] in ("agent:044","agent:045") {

      drop{     

        tag => "TAG_NO_SECURITY_VALUE"

      } 

    }



    grok {

        match => {

            "message" => ["cs4=%{HOSTNAME:dhost}"]

        }

        overwrite => ["dhost"]

        on_error => "dhost_extraction_failed"

    }



    if [src] not in ["", "null", "None"] {

        mutate {

            replace => {

                "src_present" => "true"

            }

        }



        mutate {

            merge => {

                "event.idm.read_only_udm.principal.ip" => "src"

            }

            on_error => "principal_ip_not_set"

        }

    }



    if [dhost] not in ["", "null", "None"] {

        mutate {

            replace => {

                "dhost_present" => "true"

            }

        }



        mutate {

            replace => {

                "event.idm.read_only_udm.target.hostname" => "%{dhost}"

            }

            on_error => "destinationHost_label_empty"

        }

    }

    if [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT" {

        if [src_present] != "false" and[dhost_present] != "false" {

            mutate {

                replace => {

                    "event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"

                }

            }

        }

    }



    mutate {

        merge => {

            "@output" => "event"

        }

    }

}

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded