LogForwarder filtering

  • 2 minute read
Prev Next

When forwarding audit logs using either TCP or Kinesis it is possible to include some advanced filtering options so that only very specific log records are forwarded. Multiple destinations (such as two TCP clients) can be configured each with its own filter. Once configured, any logs that do not match any of the filters will be dropped. Filters are configured by entering a single Boolean expression into the Filter field. The syntax for the filter expression is defined here: http://jmespath.org/tutorial.html

Example log record (ip_access)

{
 "version": 2,
 "timestamp": "2021-05-26T12:52:45.234Z",
 "hostname": "ec2-3-84-47-238.compute-1.amazonaws.com",
 "daemon": "cz-vpnd",
 "log": {
         "action": "allow",
         "action_id": "allToall#d946ec12-035e-34f5-a78e-36af4d373339",
         "client_ip": "84.216.154.236",
         "client_port": 43854,
         "collective_id": "408bda4e-36c7-4041-b821-82b18534ad9b",
         "connection_type": "new",
         "destination_ip": "10.0.23.209",
         "destination_port": 22,
         "direction": "up",
         "distinguished_name": "CN=55c2bc7427c14e458895661909dc3f16,CN=test,OU=local",
         "distinguished_name_device_id": "55c2bc7427c14e458895661909dc3f16",
         "distinguished_name_ou": "local",
         "distinguished_name_user": "admin",
         "entitlement_token_id": "dc93a41f-3314-4c74-9a92-beec8d1574a9",
         "event_type": "ip_access",
         "geoip": {
                 "city_name": "Nygard",
                 "continent_code": "EU",
                 "cordinates": [13.4667, 57.55],
                 "country_code2": "SE",
                 "country_code3": "SE",
                 "country_name": "Sweden",
                 "ip": "84.216.154.236",
                 "latitude": 57.55,
                 "location": {
                         "lat": 57.55,
                         "lon": 13.4667
                 },
                 "longitude": 13.4667,
                 "postal_code": "514 54",
                 "region_code": "O",
                 "region_name": "Västra Götaland",
                 "time_zone": "Europe/Stockholm"
         },
         "id": "ecf2cdb5-0878-4b33-805b-0f1a1ae1b390",
         "packet_size": 60,
         "protocol": "TCP",
         "rule_name": "allToall-0",
         "source_ip": "192.168.100.1",
         "source_port": 50510,
         "timestamp": "2021-05-26T12:52:45.234Z",
         "version": 15
 }
}

Examples of some filter statements

  • to only send ip_access logs: log.event_type=='ip_access'  

  • to send everything but ip_access logs: log.event_type!='ip_access'

  • to only send logs about access to the ip 10.0.23.209: log.destination_ip=='10.0.23.209'

  • to only send logs about access to ip 10.0.23.209 and port 22: log.destination_ip=='10.0.23.209' && log.destination_port==`22`  

Related articles