| 123456789101112131415161718192021222324252627282930313233 |
- {
- "extractors": [
- {
- "title": "UniFi AP Events",
- "extractor_type": "grok",
- "converters": [],
- "order": 0,
- "cursor_strategy": "copy",
- "source_field": "message",
- "target_field": "unifi_ap_event",
- "extractor_config": {
- "grok_pattern": "%{DATA:access_point} %{DATA:unifi_device_mac_address}(?:,%{DATA:ap_model})?: %{DATA:stahtd}: %{DATA:stahtd_process}\\[%{INT:stahtd_id}\\]: %{DATA:stahtd_event}: %{GREEDYDATA:json_data}"
- },
- "condition_type": "regex",
- "condition_value": "stahtd"
- },
- {
- "title": "UniFi Firewall Log",
- "extractor_type": "grok",
- "converters": [],
- "order": 1,
- "cursor_strategy": "copy",
- "source_field": "message",
- "target_field": "unifi_fw",
- "extractor_config": {
- "grok_pattern": "%{DATA:device_name} \\[%{DATA:fw_rule_id}\\] DESCR=\\\"\\[%{DATA:fw_rule_group}\\]%{DATA:fw_rule_name}\\\" IN=%{DATA:fw_in_iface} OUT=%{DATA:fw_out_iface} MAC=%{DATA:fw_mac} SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{INT:ip_len} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:packet_id} DF PROTO=%{WORD:proto}(?: SPT=%{INT:src_port})?(?: DPT=%{INT:dst_port})?(?: SEQ=%{INT:seq})?(?: ACK=%{INT:ack})?(?: WINDOW=%{INT:window})?(?: SYN)?(?: URGP=%{INT:urgp})?(?: UID=%{INT:uid})?(?: GID=%{INT:gid})?(?: LEN=%{INT:payload_len})? MARK=%{DATA:fw_mark}"
- },
- "condition_type": "regex",
- "condition_value": "\\[.*\\] DESCR="
- }
- ],
- "version": "6.2.2"
- }
|
