[graylog2] Re: Best way for Squid Log

[Matthieu Simon]

I finaly build a rules who do the job :

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern
import java.nio.charset.Charset;
import java.io.*;


rule "Squid track domains ADS"
    when
        m : Message( getField("full_message") matches ".*https?://[^/]*/.*" 
&& getField("ServiceName") == "Squid")
    then
         Matcher matcher = 
Pattern.compile(".*https?:\\/\\/([^\\/]*)\\/.*").matcher(m.getFieldAs(String.class,"full_message"));

         if ( matcher.find() ){
            String line = null;
            Pattern pDomain = Pattern.compile("^.*" + matcher.group(1) + 
"$");

            InputStream fis = new 
FileInputStream("/etc/graylog/drools/ads-domain.list");
            InputStreamReader isr = new InputStreamReader(fis, 
Charset.forName("UTF-8"));
            BufferedReader br = new BufferedReader(isr);

            while ((line = br.readLine()) != null) {
                Matcher mDomain = pDomain.matcher(line);
                if( mDomain.find() ) {
                    m.addField("Squid_target_domain_feature","ADS");
                    break;
                }
            }
        }
end


Le lundi 29 février 2016 18:22:16 UTC+1, Matthieu Simon a écrit :
>
> Hi,
>
> I collect Squid's logs and I want to get the best.
> For this I would like to add an attribute to a tag line based on the 
> visited domain.
> If the domain is included in the following list (
> http://pgl.yoyo.org/as/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=),
>  
> then I add my tag if I let it empty.
> In this way I can easily make relevant statistics.
>
> The problem is that I find no way, either server or client to perform this 
> operation.
> Regex would not be suitable as there are 2500 listed areas.
> If I could make a grep and catch return I think it will be OK but I don't 
> find with graylog collector or nxlog.
>
> Would anyone please a track?
>
> thank you very much
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bff5227e-070c-4980-9f8e-e03f6cda05ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.