Content Pack for NetFilter Logs with Graylog
This Content Pack will automatically parses your netfilter logs, and will parse it based on the traffic headers. It appends IP_HEADER_, TCP_HEADER_, and UDP_HEADER_ to all the appropriate fields. It also includes setting GeoIP, so ensure you download the current City db from Maxmind.
-
GROK patterns:
Defines all new fields to be set when matched in pipeline- NETFILTERHEADER
- NETFILTERMAC
- NETFILTERIPHEADER
- NETFILTERUDPHEADER
- NETFILTERTCPHEADER
-
Pipeline:
Creates Multiple fields to enable stronger queries and analytics- -1 Rules:
process netfilter logs
- 0 Rules:
process TCP netfilter logsprocess UDP netfilter logs
- 1 Rules:
Router dst GeoIP SetRouter src GeoIP Set
- -1 Rules:
-
Lookup Table\Cache:
- geolite2-city (
/etc/graylog/server/GeoLite2-City.mmdb)
- geolite2-city (