elasticmachine
commented
5 years ago Pinging @elastic/secops
Closed andrewkroh closed 5 years ago
elasticmachine
commented
5 years ago Pinging @elastic/secops
jamesspi
commented
5 years ago @andrewkroh - plan on having a PR for this early Jan. Sorry for the delay!
As a user I want to be able to ingest firewall logs from Ubiquiti network gear. Ubiquiti firewall logs are essentially Linux iptables log message with a prefix that designates the source interface. In my experience the primary means of getting these logs is via syslog. Here are some samples (without the syslog header).
[wan-local-default-D]IN=eth0 OUT= MAC=05:10:d6:f0:81:b4:f8:e4:00:9a:f9:00:08:00 SRC=23.102.178.95 DST=192.168.1.4 LEN=1357 TOS=0x00 PREC=0x00 TTL=116 ID=18905 DF PROTO=TCP SPT=443 DPT=33785 WINDOW=514 RES=0x00 ACK PSH URGP=0[wan-lan-3-A]IN=eth0 OUT=eth1 MAC=05:10:d6:f0:81:b4:f8:e4:fb:00:f9:00:08:00 SRC=1.2.3.4 DST=10.0.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=3097 DF PROTO=TCP SPT=54488 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0