FW FW-FW-Security-Event FW-FW-Security-Log TIME GATEWAYIP DENY TIMESTAMP_FW APPLIANCENAME TYPE IDS_EVENT SIGNATURE PRIORITY TIMESTAMP_EPOCH HOST_MAC_SRC DIRECTION PROTOCOL HOST_IP_SRC PORT_SRC HOST_IP_DST PORT_DST MESSAGE FW-FW-Security-Event true 1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query filter { grok { %{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}} }