{ "id" : null, "name" : "Untangle Firewall Syslog ", "description" : "Extract Meaningful fields from untangle syslog data into Graylog. ", "category" : "Firewall ", "inputs" : [ { "title" : "UTFirewall", "configuration" : { "override_source" : "", "allow_override_date" : true, "recv_buffer_size" : 262144, "bind_address" : "10.10.10.10", "port" : 514 }, "type" : "org.graylog2.inputs.syslog.udp.SyslogUDPInput", "global" : false, "extractors" : [ { "title" : "UVM-HTTPRequest-Method1", "type" : "GROK", "configuration" : { "grok_pattern" : "\"requestUri\":%{QUOTEDSTRING:requestURI}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.http.HttpRequestEvent" }, { "title" : "UVM-ClassID", "type" : "GROK", "configuration" : { "grok_pattern" : "class com.untangle.%{HOSTNAME:class}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "NONE", "condition_value" : "" }, { "title" : "UVM-SessionEvent-dport", "type" : "GROK", "configuration" : { "grok_pattern" : "\"SServerPort\":%{INT:dport}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\"" }, { "title" : "UVM-SessionEvent-protocol", "type" : "GROK", "configuration" : { "grok_pattern" : "\"protocolName\":\"%{PROTOCOL:prot}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\"" }, { "title" : "UVM-SessionEvent-srcip", "type" : "GROK", "configuration" : { "grok_pattern" : "SClientAddr\":\"/%{IPV4:srcip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\"" }, { "title" : "UVM-SessionEvent-destip", "type" : "GROK", "configuration" : { "grok_pattern" : "\"CServerAddr\":\"/%{IPV4:dstip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\"" }, { "title" : "UVM-SessionEvent-sessionID", "type" : "GROK", "configuration" : { "grok_pattern" : "\"sessionId\":%{INT:sessionID}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "NONE", "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\"" }, { "title" : "UVM-spamtarpit-srcip", "type" : "GROK", "configuration" : { "grok_pattern" : "\"IPAddr\":\"/%{IPV4:srcip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\"" }, { "title" : "UVM-spamtarpit-destip", "type" : "GROK", "configuration" : { "grok_pattern" : "\"CServerAddr\":\"/%{IPV4:dstip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\"" }, { "title" : "UVM-spamtarpit-dport", "type" : "GROK", "configuration" : { "grok_pattern" : "\"CServerPort\":%{INT:dport}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\"" }, { "title" : "UVM-Spamtarpit-spamblocker", "type" : "GROK", "configuration" : { "grok_pattern" : "\"hostname\":\"%{HOSTNAME:spamblocker}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\"" }, { "title" : "UVM-ClassID1", "type" : "GROK", "configuration" : { "grok_pattern" : "\"class com.untangle.%{HOSTNAME:class}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "NONE", "condition_value" : "" }, { "title" : "UVM-HTTPRequest-URI", "type" : "GROK", "configuration" : { "grok_pattern" : "\"requestUri\":%{QUOTEDSTRING:requestURI}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.http.HttpRequestEvent" }, { "title" : "UVM-HTTPRequest-Method", "type" : "GROK", "configuration" : { "grok_pattern" : "\"method\":\"%{WORD:method}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.http.HttpRequestEvent" }, { "title" : "UVM-Firewall-Blocked", "type" : "GROK", "configuration" : { "grok_pattern" : "\"blocked\":%{WORD:blocked}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.firewall.FirewallEvent" }, { "title" : "UVM-Firewall-ruleID", "type" : "GROK", "configuration" : { "grok_pattern" : "ruleId\":%{INT:ruleID}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.firewall.FirewallEvent" }, { "title" : "UVM-SMTPEvent-senderid", "type" : "GROK", "configuration" : { "grok_pattern" : "sender\":\"%{EMAILADDRESS:senderid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.smtp.SmtpMessageEvent" }, { "title" : "UVM-SMTPEvent-recipientid", "type" : "GROK", "configuration" : { "grok_pattern" : "addr\":\"%{EMAILADDRESS:recipientid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.smtp.SmtpMessageEvent" }, { "title" : "UVM-SMTPEvent-messageid", "type" : "GROK", "configuration" : { "grok_pattern" : "messageId\":%{INT:messageid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.smtp.SmtpMessageAddressEvent" }, { "title" : "UVM-SPAM-recipientid", "type" : "GROK", "configuration" : { "grok_pattern" : "receiver\":\"%{EMAILADDRESS:recipientid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.spam.SpamLogEvent" }, { "title" : "UVM-SPAM-score", "type" : "GROK", "configuration" : { "grok_pattern" : "score\":%{BASE10NUM:score}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.spam.SpamLogEvent" }, { "title" : "UVM-SPAM-srcip", "type" : "GROK", "configuration" : { "grok_pattern" : "clientAddr\":\"/%{IPV4:srcip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.spam.SpamLogEvent" }, { "title" : "UVM-SPAM-senderid", "type" : "GROK", "configuration" : { "grok_pattern" : "sender\":\"%{EMAILADDRESS:senderid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.spam.SpamLogEvent" }, { "title" : "UVM-SPAM-destip", "type" : "GROK", "configuration" : { "grok_pattern" : "serverAddr\":\"/%{IPV4:destip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.spam.SpamLogEvent" }, { "title" : "UVM-OPENVPN-srcip", "type" : "GROK", "configuration" : { "grok_pattern" : "address\":\"/%{IPV4:srcip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.openvpn.OpenVpnStatusEvent" }, { "title" : "UVM-OPENVPN-openvpnid", "type" : "GROK", "configuration" : { "grok_pattern" : "clientName\":\"%{WORD:openvpnid}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.openvpn.OpenVpnStatusEvent" }, { "title" : "UVM-HTTPRequest-hostname", "type" : "GROK", "configuration" : { "grok_pattern" : "host\":\"%{IPORHOST:HOSTNAME}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.http.HttpRequestEvent" }, { "title" : "UVM-HTTPRequest-destip", "type" : "GROK", "configuration" : { "grok_pattern" : "CServerAddr\":\"/%{IPV4:destip}" }, "converters" : [ ], "order" : 0, "cursor_strategy" : "COPY", "target_field" : "message", "source_field" : "message", "condition_type" : "STRING", "condition_value" : "class com.untangle.node.http.HttpRequestEvent" } ], "static_fields" : { } } ], "streams" : [ { "id" : "56ae940384ae55af23c492af", "title" : "TechSupport Stream", "description" : "Sample Stream for Tech Support Engineers", "disabled" : false, "outputs" : [ ], "stream_rules" : [ { "type" : "PRESENCE", "field" : "class", "value" : "", "inverted" : false } ] } ], "outputs" : [ ], "dashboards" : [ { "title" : "Interesting Items to Investigate", "description" : "List of Items worth Investigating", "dashboard_widgets" : [ { "description" : "Top XMLRPC attacks", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "srcip", "show_pie_chart" : false, "query" : "requestURI:\\/xmlrpc.php", "show_data_table" : true }, "col" : 4, "row" : 4, "cache_time" : 10 }, { "description" : "Top Openvpnid Logins", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "openvpnid", "show_pie_chart" : false, "query" : "class:node.openvpn.OpenVpnStatusEvent", "show_data_table" : true }, "col" : 3, "row" : 6, "cache_time" : 10 }, { "description" : "Top blog login Attackers", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "srcip", "show_pie_chart" : false, "query" : "requestURI:\\/blog\\/wp\\-login.php", "show_data_table" : true }, "col" : 2, "row" : 6, "cache_time" : 10 }, { "description" : "Top Destination IPs", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "dstip", "show_pie_chart" : true, "query" : "class:uvm.node.SessionEvent", "show_data_table" : true }, "col" : 4, "row" : 1, "cache_time" : 10 }, { "description" : "Top Source IPs", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "srcip", "show_pie_chart" : true, "query" : "class:uvm.node.SessionEvent", "show_data_table" : true }, "col" : 3, "row" : 1, "cache_time" : 10 }, { "description" : "TOP Spam Senders ", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "senderid", "show_pie_chart" : true, "query" : "class:node.spam.SpamLogEvent score:<0", "show_data_table" : true }, "col" : 2, "row" : 1, "cache_time" : 10 }, { "description" : "Top Spam IPs past hour", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "srcip", "show_pie_chart" : true, "query" : "class:node.spam.SpamLogEvent score:<0", "show_data_table" : true }, "col" : 1, "row" : 1, "cache_time" : 10 }, { "description" : "WP Login Attempt VictimIPs", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "dstip", "show_pie_chart" : false, "query" : "method:POST AND requestURI:\\/wp\\-login.php", "show_data_table" : true }, "col" : 2, "row" : 4, "cache_time" : 10 }, { "description" : "Top WP Login Victim HOSTs", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "HOSTNAME", "show_pie_chart" : false, "query" : "method:POST AND requestURI:\\/wp\\-login.php", "show_data_table" : true }, "col" : 3, "row" : 4, "cache_time" : 10 }, { "description" : "TOP WP Login Attackers", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 3600 }, "field" : "srcip", "show_pie_chart" : false, "query" : "method:POST AND requestURI:\\/wp\\-login.php", "show_data_table" : true }, "col" : 1, "row" : 4, "cache_time" : 10 }, { "description" : "Top blocked Firewall Rules", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 1800 }, "field" : "ruleID", "show_pie_chart" : false, "query" : "blocked:true", "show_data_table" : true }, "col" : 1, "row" : 6, "cache_time" : 10 } ] } ], "grok_patterns" : [ { "name" : "URIPARAM", "pattern" : "\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*" }, { "name" : "BASE16NUM", "pattern" : "(?\\d\\d){1,2}" }, { "name" : "HTTPDERROR_DATE", "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}" }, { "name" : "LOGLEVEL", "pattern" : "([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)" }, { "name" : "NUMBER", "pattern" : "(?:%{BASE10NUM})" }, { "name" : "SYSLOGPROG", "pattern" : "%{PROG:program}(?:\\[%{POSINT:pid}\\])?" }, { "name" : "DAY", "pattern" : "(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)" }, { "name" : "SYSLOGBASE", "pattern" : "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:" }, { "name" : "HOSTNAME", "pattern" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)" }, { "name" : "MONTH", "pattern" : "\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|รค)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b" }, { "name" : "URI", "pattern" : "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?" }, { "name" : "SPACE", "pattern" : "\\s*" }, { "name" : "URIPATHPARAM", "pattern" : "%{URIPATH}(?:%{URIPARAM})?" }, { "name" : "HTTPD_ERRORLOG", "pattern" : "%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}" }, { "name" : "USERNAME", "pattern" : "[a-zA-Z0-9._-]+" }, { "name" : "HTTPDATE", "pattern" : "%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}" }, { "name" : "DATESTAMP_RFC822", "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}" }, { "name" : "IPORHOST", "pattern" : "(?:%{IP}|%{HOSTNAME})" }, { "name" : "HOSTPORT", "pattern" : "%{IPORHOST}:%{POSINT}" }, { "name" : "IP", "pattern" : "(?:%{IPV6}|%{IPV4})" }, { "name" : "DATESTAMP_OTHER", "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}" }, { "name" : "DATE", "pattern" : "%{DATE_US}|%{DATE_EU}" }, { "name" : "HTTPD24_ERRORLOG", "pattern" : "\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}" }, { "name" : "WORD", "pattern" : "\\b\\w+\\b" }, { "name" : "URIPROTO", "pattern" : "[A-Za-z]+(\\+[A-Za-z+]+)?" }, { "name" : "COMMONAPACHELOG", "pattern" : "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" }, { "name" : "TTY", "pattern" : "(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))" }, { "name" : "PATH", "pattern" : "(?:%{UNIXPATH}|%{WINPATH})" }, { "name" : "POSINT", "pattern" : "\\b(?:[1-9][0-9]*)\\b" }, { "name" : "WINPATH", "pattern" : "(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+" }, { "name" : "HTTPD20_ERRORLOG", "pattern" : "\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}" }, { "name" : "MAC", "pattern" : "(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})" }, { "name" : "NOTSPACE", "pattern" : "\\S+" }, { "name" : "SYSLOGFACILITY", "pattern" : "<%{NONNEGINT:facility}.%{NONNEGINT:priority}>" }, { "name" : "BASE16FLOAT", "pattern" : "\\b(?(?\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))" }, { "name" : "COMMONMAC", "pattern" : "(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})" }, { "name" : "MINUTE", "pattern" : "(?:[0-5][0-9])" }, { "name" : "CISCOMAC", "pattern" : "(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})" }, { "name" : "IPV4", "pattern" : "(?[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))" }, { "name" : "NONNEGINT", "pattern" : "\\b(?:[0-9]+)\\b" } ] }