-
Notifications
You must be signed in to change notification settings - Fork 3
/
ufw.grok
30 lines (20 loc) · 1.98 KB
/
ufw.grok
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
UNSIGNED_INT [0-9]+
IPTABLES_ETHERNET IN=%{WORD:[ufw][in_device]} OUT=%{WORD:[ufw][out_device]}? MAC=(?:[^\s]+)
IPTABLES_PORT_PAIR SPT=%{UNSIGNED_INT:[ufw][source][port]} DPT=%{UNSIGNED_INT:[ufw][destination][port]}
IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
IPTABLES_TCP_SEQ SEQ=%{UNSIGNED_INT:[ufw][seq_seq]} ACK=%{UNSIGNED_INT:[ufw][seq_ack]}
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:[ufw][window]} RES=0x%{BASE16NUM:[ufw][res]} %{IPTABLES_TCP_FLAGS:[ufw][tcp_flags]}
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{UNSIGNED_INT:[ufw][incomplete]} bytes\]
IPTABLES_UDP_DETAILS LEN=%{UNSIGNED_INT:[ufw][udp_len]}
IPTABLES_ICMP_EXTRA_ECHO ID=%{UNSIGNED_INT:[ufw][icmp_id]} SEQ=%{UNSIGNED_INT:[ufw][icmp_seq]}
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{UNSIGNED_INT:[ufw][icmp_parameter]}
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:[ufw][icmp_redirect]}
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
IPTABLES_ICMP_DETAILS TYPE=%{UNSIGNED_INT:[ufw][icmp_type]} CODE=%{UNSIGNED_INT:[ufw][icmp_code]}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
IPTABLES_PROTOCOL PROTO=(%{URIPROTO:[ufw][protokoll]})?
IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?
IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
IPTABLES_IP_START SRC=%{IP:[ufw][source][ip]} DST=%{IP:[ufw][destination][ip]} LEN=%{UNSIGNED_INT:[ufw][length]} TOS=0x%{BASE16NUM:[ufw][tos]} PREC=0x%{BASE16NUM:[ufw][prec]} TTL=%{UNSIGNED_INT:[ufw][ttl]} ID=%{UNSIGNED_INT:[ufw][id]}(?: %{IPTABLES_IP_FRAGFLAG:[ufw][fragment_flags]})?(?: FRAG: %{UNSIGNED_INT:[ufw][fragment]})?
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}
UFW_PREFIX %{SYSLOGTIMESTAMP:[ufw][timestamp]} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: \[%{DATA:kerneltime}\] \[%{DATA:[ufw][status]}\]
IPTABLES %{UFW_PREFIX} %{IPTABLES_ETHERNET} %{IPTABLES_IP}