I have alot of drools rules for fields extractions on a heavily loaded GL2
server. I now spread it over 3 GL2 servers, which event spreads the load
and may be nicer on our VMware hypervisor.
Im thinking it might be worth it to redo the drools rules in extractors,
but I would have to write an awful lot of them, where I get 3-12 fields in
one regex match in drools, I would need to create 3-12 Extractors.
I could skip the ones I rarely use, but still it would create alot of rules.
Are the extractors nicer on performance? Its easier to test and to create
them, even measuring performance impact.
Right now Im using 6 CPUs (VMware virtual) for my GL2 servers, is there a
chance it will be feasable? (before I go redo all the rules).
Here are my drools rules created for Cisco ASA and ACE logs, some of them
cannot be translated into extractors I guess, but I can try:
P.S. I run them through an rsyslog instance first, that reformats to
GRAYLOG2RFC5424 format.
import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern
import java.text.DateFormat
import java.text.ParseException
rule "ASA logs rewrite"
when
m : Message ( getField("facility") == "local4" && message matches
".*%ASA-(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("%(?<mesgid>ASA-\\d-\\d+):
(?<mesg>.+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("program","Cisco ASA");
m.addField("ciscotag",matcher.group('mesgid'));
m.addField("message",matcher.group('mesg'));
}
end
rule "ASA access-list permit fields"
when
m : Message ( message matches ".*ASA-4-106100(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("access-list (?<rule>[\\w\\d.-]+)
(?<permdeny>\\w+) (?<proto>\\w+)
(?<srcif>[\\w-]+)/(?<src>[0-9a-fA-F.:]+)\\((?<srcport>\\d+)\\) ->
(?<dstif>[\\w-]+)/(?<dst>[0-9a-fA-F.:]+)\\((?<dstport>\\d+)\\)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("rule",matcher.group('rule'));
m.addField("action",matcher.group('permdeny'));
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
}
end
rule "ASA access-list deny tcp udp fields"
when
m : Message ( message matches ".*%ASA-4-106023: Deny
(tcp|udp)(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Deny (?<proto>\\w+) src
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+) dst
(?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+) by access-group
\"(?<rule>.+)\" ").matcher(m.getMessage());
if (matcher.find()) {
m.addField("rule",matcher.group('rule'));
m.addField("action","Deny");
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
}
end
rule "ASA access-list deny icmp fields type3"
when
m : Message ( message matches ".*%ASA-4-106023: Deny
icmp(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("(?<permdeny>\\w+) (?<proto>\\w+)
src (?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+) dst
(?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+) \\(type (?<type>\\d+), code
(?<code>\\d+)\\) by access-group \"(?<rule>.+)\" ").matcher(m.getMessage());
if (matcher.find()) {
m.addField("rule",matcher.group('rule'));
m.addField("action",matcher.group('permdeny'));
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
}
end
rule "ASA access-list deny icmp fields"
when
m : Message ( message matches ".*%ASA-3-106014: Deny (.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Deny (?<direction>\\w+)
(?<proto>\\w+) src (?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+) dst
(?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+) \\(type (?<type>\\d+), code
(?<code>\\d+)\\)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","deny");
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("type",matcher.group('type'));
m.addField("code",matcher.group('code'));
}
end
rule "ASA denied icmp fields"
when
m : Message ( message matches ".*%ASA-3-313001: Denied (.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Denied (?<proto>\\w+)
type=(?<type>\\d+), code=(?<code>\\d+) from (?<src>[0-9a-fA-F.:]+) on
interface (?<srcif>[\\w-]+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","deny");
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("type",matcher.group('type'));
m.addField("code",matcher.group('code'));
}
end
rule "ASA denied icmp reverse path check"
when
m : Message ( message matches ".*%ASA-1-106021: Deny (.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Deny (?<proto>\\w+) reverse path
check from (?<src>[0-9a-fA-F.:]+) to (?<dst>[0-9a-fA-F.:]+) on interface
(?<srcif>[\\w-]+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","deny");
m.addField("protocol",matcher.group('proto'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("dst_if",matcher.group('srcif'));
m.addField("dst_ip",matcher.group('dst'));
}
end
rule "ASA icmp build/teardown"
when
m : Message ( message matches ".*%ASA-6-30202[01]:(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("(?<action>\\w+)
((?<direction>(inbound|outbound)) )?(?<proto>\\w+) connection for faddr
(?<dst>[0-9a-fA-F.:]+)/(?<dsticmpcode>\\d+)(\\((?<dstuser>.+)\\))? gaddr
(?<xlated>[0-9a-fA-F.:]+)/(?<xlatedicmpcode>\\d+) laddr
(?<src>[0-9a-fA-F.:]+)/(?<srcicmpcode>\\d+)(
\\((?<user>.+)\\))?").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action",matcher.group('action'));
m.addField("direction",matcher.group('direction'));
m.addField("protocol",matcher.group('proto'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_icmp_code",matcher.group('srcicmpcode'));
m.addField("xlated_src_ip",matcher.group('xlated'));
m.addField("xlated_src_icmp_code",matcher.group('xlatedicmpcode'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_icmp_code",matcher.group('dsticmpcode'));
if (matcher.group('dstuser') != null) {
m.addField("fwuser",matcher.group('dstuser'));
}
if (matcher.group('user') != null) {
m.addField("user",matcher.group('user'));
}
}
end
rule "ASA other deny fields"
when
m : Message ( message matches ".*%ASA-6-106015(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("(?<permdeny>\\w+) (?<proto>\\w+)
.+ from (?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+) to
(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+) flags (?<flags>.+) on interface
(?<dstif>[\\w-]+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("flags",matcher.group('flags'));
m.addField("action",matcher.group('permdeny'));
m.addField("protocol",matcher.group('proto'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
}
end
rule "ASA connection builds"
when
m : Message ( message matches ".*%ASA-6-30201[35](.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Built (?<direction>\\w+)
(?<proto>\\w+) connection (?<connectionid>[\\dx]+) for
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)
\\((?<mappedsrc>[0-9a-fA-F.:]+)/(?<mappedsrcport>\\d+)\\)(\\((?<srcuser>.+)\\))?
to (?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+)
\\((?<mappeddst>[0-9a-fA-F.:]+)/(?<mappeddstport>\\d+)\\)(
\\((?<dstuser>.+)\\))?").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","built");
m.addField("protocol",matcher.group('proto'));
m.addField("connection_id",matcher.group('connectionid'));
m.addField("direction",matcher.group('direction'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
if (matcher.group('srcuser') != null) {
m.addField("src_fwuser",matcher.group('srcuser'));
}
if (matcher.group('dstuser') != null) {
m.addField("user",matcher.group('dstuser'));
}
m.addField("mapped_src_ip",matcher.group('mappedsrc'));
m.addField("mapped_src_port",Long.valueOf(matcher.group('mappedsrcport')));
m.addField("mapped_dst_ip",matcher.group('mappeddst'));
m.addField("mapped_dst_port",Long.valueOf(matcher.group('mappeddstport')));
}
end
rule "ASA TCP/UDP teardown"
when
m : Message ( message matches ".*%ASA-6-30201[46](.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Teardown (?<proto>\\w+)
connection (?<connectionid>[\\dxa-f]+) for
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)(\\((?<srcuser>.+)\\))?
to (?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+) duration
(?<duration>\\d+:\\d+:\\d+) bytes (?<bytes>\\d+)( (?<reason>.+))?(
\\((?<user>.+)\\))?").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","teardown");
m.addField("protocol",matcher.group('proto'));
m.addField("connection_id",matcher.group('connectionid'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
if (matcher.group('srcuser') != null) {
m.addField("src_user",matcher.group('srcuser'));
}
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
if (matcher.group('user') != null) {
m.addField("user",matcher.group('user'));
}
m.addField("duration",matcher.group('duration'));
String[] parts = matcher.group('duration').split(":");
Long duration_sec = Long.valueOf(parts[0]) * 3600 +
Long.valueOf(parts[1]) * 60 + Long.valueOf(parts[2]);
m.addField("duration_sec",duration_sec);
m.addField("bytes",Long.valueOf(matcher.group('bytes')));
if (matcher.group('reason') != null) {
m.addField("reason",matcher.group('reason'));
}
}
end
rule "ASA dynamic connection builds"
when
m : Message ( message matches ".*%ASA-6-305011(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Built (?<xlatetype>.+)
(?<proto>\\w+) translation from
(?<srcif>\\w+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)(\\((?<srcuser>.+)\\))?
to
(?<xlatedif>\\w+):(?<xlatedsrc>[0-9a-fA-F.:]+)/(?<xlatedport>\\d+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","built");
m.addField("protocol",matcher.group('proto'));
m.addField("xlate_type",matcher.group('xlatetype'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
if (matcher.group('srcuser') != null) {
m.addField("src_fwuser",matcher.group('srcuser'));
}
m.addField("xlated_src_if",matcher.group('xlatedif'));
m.addField("xlated_src_ip",matcher.group('xlatedsrc'));
m.addField("xlated_src_port",Long.valueOf(matcher.group('xlatedport')));
}
end
rule "ASA dynamic UDP/TCP teardown"
when
m : Message ( message matches ".*%ASA-6-305012(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Teardown (?<xlatetype>.+)
(?<proto>\\w+) translation from
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)(\\((?<srcuser>.+)\\))?
to (?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+) duration
(?<duration>\\d+:\\d+:\\d+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","teardown");
m.addField("protocol",matcher.group('proto'));
m.addField("xlate_type",matcher.group('xlatetype'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
if (matcher.group('srcuser') != null) {
m.addField("src_user",matcher.group('srcuser'));
}
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
m.addField("duration",matcher.group('duration'));
String[] parts = matcher.group('duration').split(":");
Long duration_sec = Long.valueOf(parts[0]) * 3600 +
Long.valueOf(parts[1]) * 60 + Long.valueOf(parts[2]);
m.addField("duration_sec",duration_sec);
}
end
rule "ACE logs rewrite"
when
m : Message ( getField("facility") == "local4" && message matches
".*%ACE-(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("%(?<mesgid>ACE-\\d-\\d+):
(?<mesg>.+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("program","Cisco ACE");
m.addField("ciscotag",matcher.group('mesgid'));
m.addField("message",matcher.group('mesg'));
}
end
rule "ACE connection builds"
when
m : Message ( message matches ".*%ACE-6-30202[24](.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Built (?<proto>\\w+) connection
(?<connectionid>[\\dxa-f]+) for
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)
\\((?<mappedsrc>[0-9a-fA-F.:]+)/(?<mappedsrcport>\\d+)\\) to
(?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+)
\\((?<mappeddst>[0-9a-fA-F.:]+)/(?<mappeddstport>\\d+)\\)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","built");
m.addField("protocol",matcher.group('proto'));
m.addField("connection_id",matcher.group('connectionid'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("mapped_src_ip",matcher.group('mappedsrc'));
m.addField("mapped_src_port",Long.valueOf(matcher.group('mappedsrcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
m.addField("mapped_dst_ip",matcher.group('mappeddst'));
m.addField("mapped_dst_port",Long.valueOf(matcher.group('mappeddstport')));
}
end
rule "ACE TCP/UDP teardown"
when
m : Message ( message matches ".*%ACE-6-30202[35](.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Teardown (?<proto>\\w+)
connection (?<connectionid>[\\dxa-f]+) for
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)
\\((?<mappedsrc>[0-9a-fA-F.:]+)/(?<mappedsrcport>\\d+)\\) to
(?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+)
\\((?<mappeddst>[0-9a-fA-F.:]+)/(?<mappeddstport>\\d+)\\) duration
(?<duration>\\d+:\\d+:\\d+) bytes (?<bytes>\\d+)
(?<reason>.+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","teardown");
m.addField("protocol",matcher.group('proto'));
m.addField("connection_id",matcher.group('connectionid'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
m.addField("mapped_src_ip",matcher.group('mappedsrc'));
m.addField("mapped_src_port",Long.valueOf(matcher.group('mappedsrcport')));
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
m.addField("mapped_dst_ip",matcher.group('mappeddst'));
m.addField("mapped_dst_port",Long.valueOf(matcher.group('mappeddstport')));
m.addField("duration",matcher.group('duration'));
String[] parts = matcher.group('duration').split(":");
Long duration_sec = Long.valueOf(parts[0]) * 3600 +
Long.valueOf(parts[1]) * 60 + Long.valueOf(parts[2]);
m.addField("duration_sec",duration_sec);
m.addField("bytes",Long.valueOf(matcher.group('bytes')));
m.addField("reason",matcher.group('reason'));
}
end
rule "ACE ICMP teardown"
when
m : Message ( message matches ".*%ACE-6-302027(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Teardown (?<proto>\\w+)
connection for faddr
(?<dst>[0-9a-fA-F.:]+)/(?<dsticmpcode>\\d+)(\\((?<dstuser>.+)\\))? gaddr
(?<xlated>[0-9a-fA-F.:]+)/(?<xlatedicmpcode>\\d+) laddr
(?<src>[0-9a-fA-F.:]+)/(?<srcicmpcode>\\d+)(
\\((?<user>.+)\\))?").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","teardown");
m.addField("protocol",matcher.group('proto'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_icmp_code",matcher.group('srcicmpcode'));
m.addField("xlated_src_ip",matcher.group('xlated'));
m.addField("xlated_src_icmp_code",matcher.group('xlatedicmpcode'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_icmp_code",matcher.group('dsticmpcode'));
if (matcher.group('dstuser') != null) {
m.addField("fwuser",matcher.group('dstuser'));
}
if (matcher.group('user') != null) {
m.addField("user",matcher.group('user'));
}
}
end
rule "ACE dynamic connection builds"
when
m : Message ( message matches ".*%ACE-6-305011(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Built (?<xlatetype>.+)
(?<proto>\\w+) translation from
(?<srcif>\\w+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)(\\((?<srcuser>.+)\\))?
to
(?<xlatedif>\\w+):(?<xlatedsrc>[0-9a-fA-F.:]+)/(?<xlatedport>\\d+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","built");
m.addField("protocol",matcher.group('proto'));
m.addField("xlate_type",matcher.group('xlatetype'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
if (matcher.group('srcuser') != null) {
m.addField("src_fwuser",matcher.group('srcuser'));
}
m.addField("xlated_src_if",matcher.group('xlatedif'));
m.addField("xlated_src_ip",matcher.group('xlatedsrc'));
m.addField("xlated_src_port",Long.valueOf(matcher.group('xlatedport')));
}
end
rule "ACE dynamic UDP/TCP teardown"
when
m : Message ( message matches ".*%ACE-6-305012(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Teardown (?<xlatetype>.+)
(?<proto>\\w+) translation from
(?<srcif>[\\w-]+):(?<src>[0-9a-fA-F.:]+)/(?<srcport>\\d+)(\\((?<srcuser>.+)\\))?
to (?<dstif>[\\w-]+):(?<dst>[0-9a-fA-F.:]+)/(?<dstport>\\d+) duration
(?<duration>\\d+:\\d+:\\d+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","teardown");
m.addField("protocol",matcher.group('proto'));
m.addField("xlate_type",matcher.group('xlatetype'));
m.addField("src_if",matcher.group('srcif'));
m.addField("src_ip",matcher.group('src'));
m.addField("src_port",Long.valueOf(matcher.group('srcport')));
if (matcher.group('srcuser') != null) {
m.addField("src_user",matcher.group('srcuser'));
}
m.addField("dst_if",matcher.group('dstif'));
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
m.addField("duration",matcher.group('duration'));
String[] parts = matcher.group('duration').split(":");
Long duration_sec = Long.valueOf(parts[0]) * 3600 +
Long.valueOf(parts[1]) * 60 + Long.valueOf(parts[2]);
m.addField("duration_sec",duration_sec);
}
end
rule "ACE Probe failure"
when
m : Message ( message matches ".*%ACE-3-251010(.|\n|\r)*" )
then
Matcher matcher = Pattern.compile("Health probe failed for server
(?<dst>[0-9a-fA-F.:]+) on port (?<dstport>\\d+),
(?<errormsg>.+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("action","probe fail");
m.addField("dst_ip",matcher.group('dst'));
m.addField("dst_port",Long.valueOf(matcher.group('dstport')));
m.addField("errormsg",matcher.group('errormsg'));
}
end
Brgds. Martin
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
