Cisco FirePOWER GROK Extractors for Graylog

Published

04 Nov 14:57

Last Push

06 Oct 11:37

Marketplace Rating

Discussion

4 Comments

Readme from Github

graylog-extractors

UPDATED 10/6/2017: Added more lines to include various formats for web traffic detection. Seems to catch all HTTP/HTTPS now.

My first attempt at making an extractor for Graylog.

Tested and (mostly) working, probably horribly inefficient, but working well in our small, 1-firewall environment on FirePOWER version 6.1.0-330, and from what I gather, different versions can be problematic since the extractors that were already posted up on GitHub weren't working for me and were built on a slightly older 6.x version.

Open to comments, criticism, etc. I'm a network admin, not a developer.

For those new to Graylog and working with Grok/extractors, just download the .JSON file and import it into Graylog using a "Raw/Plaintext UDP" Input for FirePOWER. Point your FirePOWER syslogs to your Graylog server IP:port.

Your Rating

Please sign in to rate this add-on.

Comments

jezzadb almost 2 years ago

Hi, I managed to create some extractors to get out what I was after. Again, they may be inefficient but I am happy to upload these for people if they would like them.

jezzadb almost 2 years ago

Hi, Love your work I have a couple of quick questions. I am trying to have these working with version 2.3 however it does not seem to be working. I am mainly looking at extracting Malware source ip, destination ip and malware threat name, however the parameters seem to not work. any tips on how this can be done or do you have other extractors for this. Regards

mrjohnson1024 almost 2 years ago

UPDATED: Added more lines to catch all HTTP/HTTPS traffic from syslog. Seems to be getting 100% of web traffic now, or close to it.