I am consuming logs from my Vyatta firewall and I am having trouble getting the field extractor to reliably pull the rule name from the events. It looks like I need to manually build the regex query, but unfortunately I lack that skill.
The rule name is always the 7th field as identified by spaces.
[<ruleset>-<ruleNumber>-<action>]
* Ruleset could be trust-service-6, trust-untrust6, dmz-local etc in my instance. Generically, it could be any text.
* RuleNumber could be 1-9999 or default.
* Action could be A, R or D
These are examples of the form the rule names take in my environment.
[dmz-local-6-10-A]
[dmz-local-100-A]
[trust-untrust-2-D]
[untrust-trust-3-D]
[work-untrust-20-A]
[trust-untrust-default-D]
[trust-service-6-default-D]
[dmz-local-6-50-R]
[dmz-mgmt-100-R]
The following are raw sources.
- Mar 8 09:25:21 carbon kernel: [8195160.290370] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=59399 DPT=53 LEN=49
- Mar 8 09:25:21 carbon kernel: [8195160.293139] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46094 PROTO=UDP SPT=21394 DPT=53 LEN=97
- Mar 8 09:25:21 carbon kernel: [8195160.386377] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=63647 DPT=53 LEN=49
- Mar 8 09:25:21 carbon kernel: [8195160.388007] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46095 PROTO=UDP SPT=28420 DPT=53 LEN=97
- Mar 8 09:25:21 carbon kernel: [8195160.472564] [trust-untrust-20-A] IN=eth0.100 OUT=eth1.999 MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:08:00 SRC=10.0.1.10 DST=204.236.229.254 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30076 DF PROTO=TCP SPT=51287 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
- Mar 8 09:25:23 carbon kernel: [8195162.690082] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31426 DF PROTO=TCP SPT=60668 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
- Mar 8 09:25:23 carbon kernel: [8195162.693543] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31429 DF PROTO=TCP SPT=60669 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
- Mar 8 09:25:24 carbon kernel: [8195163.148490] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31455 DF PROTO=TCP SPT=60670 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
- Mar 8 09:25:26 carbon kernel: [8195165.241861] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31483 DF PROTO=TCP SPT=60671 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
- Mar 8 09:25:27 carbon kernel: [8195166.278045] [untrust-local-6-10-A] IN=eth1.999 OUT= MAC=00:30:48:9f:33:b3:00:0c:29:af:6d:87:86:dd SRC=2001:0470:1f11:03f2:0000:0000:0000:0203 DST=2001:0470:1f11:03f2:0000:0000:0000:0001 LEN=82 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=33103 DPT=53 LEN=42