Solved: SNORT[#####] grock'd
-
I figured it out.
Here is the match pattern:if "snort" in [prog] { mutate { add_tag => [ "snort" ] } }
Here is the grok pattern if anyone is interested.
grok { match => [ "message", "[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}]%{DATA:preprocessor}%{GREEDYDATA:ids_alert}.[Classification\:%{DATA:ids_classification}].*[Priority\: %{INT:ids_priority}].*{%{WORD:ids_proto}}.*%{IP:src_ip}:%{INT:src_port} \-\>.*%{IP:dst_ip}:%{INT:dst_port}", "message", "[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:message2}" ] }