Last modified 18 months ago
Kraken Syslog Parser
Author
- xeraph ( xeraph@nchovy.com)
- stania ( stania@nchovy.com)
- correctfunction
Log Formats
Snort
Input sample log:
snort[20586]: [1:1000000:0] what the hell {TCP} 10.10.0.10:5432 -> 10.10.0.8:1837
SyslogLogParser output:
| key | type | value example |
| pid | int | 20586 |
| gid | int | 1 |
| sid | int | 1000000 |
| rev | int | 0 |
| msg | string | what the hell |
| proto | string | TCP |
| src_ip | ip | 10.10.0.10 |
| src_port | int | 5432 |
| dst_ip | ip | 10.10.0.8 |
| dst_port | int | 1837 |
Fortigate (FortiOS 4.x)
NetScreen ISG 1000/2000
attack log
SYN flood! From 1.1.1.1:1111 to 22.22.22.22:22222, proto TCP (zone zone #1, int test interface). Occurred 100 times.
session log
nsisg1000: NetScreen device_id=0133012007000002 [Root]system-notification-00257(traffic): start_time=\"2009-01-22 15:14:10\" duration=0 policy_id=45 service=icmp proto=1 src zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=58.72.190.250 dst=210.99.53.197 icmp type=8 session_id=0
Your Help Needed
- Send syslog samples to xeraph@nchovy.com
- device firmware version
- syslog dump (use syslog.trace command)
- log format reference manual if exists
See also
History
- 1.2.0 (2011-12-10)
- depends on log api 1.4.0
- added futuresystems weguardia log format
- 1.0.0 release (2010-11-25)
