02-filter-nftables.conf

filter{
  mutate {
    #IN or OUT Interface could be empty so set it to NULL so filter won't fail
    gsub => [
      "message", "= ", "=NULL "
    ]
  }
  grok {
    match => {
      # log line starts with "Date Host log_facilty nftables_log_prefix (see README) nftables_log
      "message" => "^%{SYSLOGTIMESTAMP:[@metadata][timestamp]} %{WORD} %{WORD}\: nft.%{WORD:[ACTION]} %{IPTABLES}"
    }
    # Overwrite Pattern as iptables filter will fail with nftables log
    # todo create pull request in logstash grok pattern repo
    pattern_definitions => {
      "IPTABLES" => "IN=(?:%{NOTSPACE:[observer][ingress][interface][name]})?\s+OUT=(?:%{NOTSPACE:[observer][egress][interface][name]})?\s+((?:MAC=(?:%{COMMONMAC:[destination][mac]})?(?::%{COMMONMAC:[source][mac]})?(?::[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})|MACSRC=%{COMMONMAC:[source][mac]} MACDST=%{COMMONMAC:[destination][mac]} MACPROTO=%{WORD:macproto})?\s+)?(:?%{IPTABLES4_PART}|%{IPTABLES6_PART}).*?PROTO=(?:%{WORD:[network][transport]})?\s+(SPT=(?:%{INT:[source][port]:int})?\s+DPT=(?:%{INT:[destination][port]:int})?\s+(?:%{IPTABLES_TCP_PART})?|TYPE=%{INT:[icmp][type]}\s+CODE=%{NUMBER:[icmp][code]}(\s+ID=%{INT:[icmp][id]}\s+SEQ=%{INT:[icmp][sequence]}|))"
      "IPTABLES6_PART" => "SRC=%{IPV6:[source][ip]}\s+DST=%{IPV6:[destination][ip]}\s+LEN=(?:%{INT:[iptables][length]:int})?\s+TC=%{BASE16NUM:[iptables][tos]}?\s+HOPLIMIT=(?:%{INT:[iptables][ttl]:int})?\s+FLOWLBL=(?:%{INT:[iptables][flow_label]})?"
      "IPTABLES4_PART" => "SRC=%{IPV4:[source][ip]}\s+DST=%{IPV4:[destination][ip]}\s+LEN=(?:%{INT:[iptables][length]:int})?\s+TOS=(?:0|0x%{BASE16NUM:[iptables][tos]})?\s+PREC=(?:0x%{BASE16NUM:[iptables][precedence_bits]})?\s+TTL=(?:%{INT:[iptables][ttl]:int})?\s+ID=(?:%{INT:[iptables][id]})?\s+(?:%{IPTABLES4_FRAG:[iptables][fragment_flags]})?"
    }
  }
  date {
    match => [ "[@metadata][timestamp]", "MMM dd HH:mm:ss" ]
  }
}