2017/05/19 10:40:02 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true|filter={"filter":{"range":{"@timestamp":{"gte":"1495182842407","lte":"1495183172427"}}},"sort":{"@timestamp":{"order":"asc"}}} 2017/05/19 10:40:02 DEBUG Response Body={ "took" : 5, "timed_out" : false, "_shards" : { "total" : 10, "successful" : 10, "failed" : 0 }, "hits" : { "total" : 5, "max_score" : null, "hits" : [ { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDZ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156234+02:00 192.168.10.1 - - - 1495182923.125604193 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.563063 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:19037 dst=208.67.222.222:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDY", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156077+02:00 192.168.10.1 - - - 1495182923.125035189 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.561083 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62224 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDa", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156351+02:00 192.168.10.1 - - - 1495182923.126083923 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.571636 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62225 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNM", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.616966+02:00 192.168.10.1 - - - 1495183052.594069613 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.364541 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63707 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNN", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.617664+02:00 192.168.10.1 - - - 1495183052.595062068 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.370552 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63708 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] } ] } } 2017/05/19 10:40:02 DEBUG Read record count = 5 2017/05/19 10:40:02 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true&from=0&size=1000|filter={"filter":{"range":{"@timestamp":{"gte":"1495182842407","lte":"1495183172427"}}},"sort":{"@timestamp":{"order":"asc"}}} 2017/05/19 10:40:02 DEBUG Response Body={ "took" : 9, "timed_out" : false, "_shards" : { "total" : 10, "successful" : 10, "failed" : 0 }, "hits" : { "total" : 5, "max_score" : null, "hits" : [ { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDZ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156234+02:00 192.168.10.1 - - - 1495182923.125604193 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.563063 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:19037 dst=208.67.222.222:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDY", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156077+02:00 192.168.10.1 - - - 1495182923.125035189 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.561083 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62224 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDa", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156351+02:00 192.168.10.1 - - - 1495182923.126083923 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.571636 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62225 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNM", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.616966+02:00 192.168.10.1 - - - 1495183052.594069613 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.364541 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63707 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNN", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.617664+02:00 192.168.10.1 - - - 1495183052.595062068 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.370552 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63708 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] } ] } } 2017/05/19 10:40:02 DEBUG IGSEvent request count = 0 2017/05/19 10:40:32 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true|filter={"filter":{"range":{"@timestamp":{"gte":"1495182872427","lte":"1495183202449"}}},"sort":{"@timestamp":{"order":"asc"}}} 2017/05/19 10:40:32 DEBUG Response Body={ "took" : 10, "timed_out" : false, "_shards" : { "total" : 10, "successful" : 10, "failed" : 0 }, "hits" : { "total" : 8, "max_score" : null, "hits" : [ { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDZ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156234+02:00 192.168.10.1 - - - 1495182923.125604193 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.563063 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:19037 dst=208.67.222.222:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDY", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156077+02:00 192.168.10.1 - - - 1495182923.125035189 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.561083 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62224 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDa", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156351+02:00 192.168.10.1 - - - 1495182923.126083923 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.571636 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62225 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNM", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.616966+02:00 192.168.10.1 - - - 1495183052.594069613 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.364541 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63707 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNN", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.617664+02:00 192.168.10.1 - - - 1495183052.595062068 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.370552 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63708 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNP", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.080161+02:00 192.168.10.1 - - - 1495183186.057106020 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.988649 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:22631 dst=208.67.220.220:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.792Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186792 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNO", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.079952+02:00 192.168.10.1 - - - 1495183186.056502843 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.986841 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:64598 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.792Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186792 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNQ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.080670+02:00 192.168.10.1 - - - 1495183186.057645803 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.998705 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:64599 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.793Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186793 ] } ] } } 2017/05/19 10:40:32 DEBUG Read record count = 8 2017/05/19 10:40:32 DEBUG Executing query url=http://localhost:9200/logstash-*/_search?pretty=true&from=0&size=1000|filter={"filter":{"range":{"@timestamp":{"gte":"1495182872427","lte":"1495183202449"}}},"sort":{"@timestamp":{"order":"asc"}}} 2017/05/19 10:40:32 DEBUG Response Body={ "took" : 5, "timed_out" : false, "_shards" : { "total" : 10, "successful" : 10, "failed" : 0 }, "hits" : { "total" : 8, "max_score" : null, "hits" : [ { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDZ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156234+02:00 192.168.10.1 - - - 1495182923.125604193 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.563063 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:19037 dst=208.67.222.222:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDY", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156077+02:00 192.168.10.1 - - - 1495182923.125035189 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.561083 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62224 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2NhOMQ39a7VnTdDa", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:35:23.156351+02:00 192.168.10.1 - - - 1495182923.126083923 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495182922.571636 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:62225 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:35:23.713Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495182923713 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNM", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.616966+02:00 192.168.10.1 - - - 1495183052.594069613 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.364541 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63707 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf2tA7q5BhZ5loWmNN", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:37:32.617664+02:00 192.168.10.1 - - - 1495183052.595062068 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183052.370552 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63708 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:37:32.754Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183052754 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNP", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.080161+02:00 192.168.10.1 - - - 1495183186.057106020 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.988649 shost=B8:27:EB:55:15:4C direction=egress protocol=udp/ip src=192.168.1.204:22631 dst=208.67.220.220:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.792Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186792 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNO", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.079952+02:00 192.168.10.1 - - - 1495183186.056502843 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.986841 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:64598 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.792Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186792 ] }, { "_index" : "logstash-2017.05.19", "_type" : "cppm-ige-syslog", "_id" : "AVwf3NvLq5BhZ5loWmNQ", "_score" : null, "_source" : { "message" : "<134>1 2017-05-19T10:39:46.080670+02:00 192.168.10.1 - - - 1495183186.057645803 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495183185.998705 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:64599 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query", "@version" : "1", "@timestamp" : "2017-05-19T08:39:46.793Z", "path" : "/var/avenda/tips/log/igesyslog/igesyslog.log", "host" : "CPPM02", "type" : "cppm-ige-syslog", "tags" : [ "_grokparsefailure" ] }, "sort" : [ 1495183186793 ] } ] } } 2017/05/19 10:40:32 DEBUG IGSEvent request count = 3 2017/05/19 10:40:32 DEBUG Processing event (RequestId:E-1495183232471-4221551927221227094) 2017/05/19 10:40:32 DEBUG Type of [_grokparsefailure] is []interface {} 2017/05/19 10:40:32 DEBUG IP Address=|MAC Address=|Username= 2017/05/19 10:40:32 DEBUG Processing event (RequestId:E-1495183232471-1352243680759049266) 2017/05/19 10:40:32 DEBUG Type of [_grokparsefailure] is []interface {} 2017/05/19 10:40:32 DEBUG IP Address=|MAC Address=|Username= 2017/05/19 10:40:32 DEBUG Processing event (RequestId:E-1495183232471-8435194245125481129) 2017/05/19 10:40:32 DEBUG Type of [_grokparsefailure] is []interface {} 2017/05/19 10:40:32 DEBUG IP Address=|MAC Address=|Username= 2017/05/19 10:40:32 DEBUG Event (RequestId:E-1495183232471-4221551927221227094) evaluated to service=FW Security 2017/05/19 10:40:32 DEBUG Event (RequestId:E-1495183232471-1352243680759049266) evaluated to service=FW Security 2017/05/19 10:40:32 DEBUG Event (RequestId:E-1495183232471-8435194245125481129) evaluated to service=FW Security