Hi Iain,
you can check your Grok patterns against some messages using the Grok
debugger at https://grokdebug.herokuapp.com/.
Cheers,
Jochen
On Thursday, 5 May 2016 22:54:33 UTC+2, Iain wrote:
>
> Hi,
>
> I'm running Graylog 2.0.0 with an extractor to pull out SSH login names
> from failed logins:
>
> (Failed password for (invalid user )?%{DATA:user} from %{IPV4:UNWANTED}
> port %{BASE10NUM:UNWANTED} ssh2)?
>
> This seemed to work on the two types of message it should be picking up.
> I attached it to an input and for a while things seemed to work - I could
> see a few messages with the new "user" tag. Then it stopped working,
> without any messages in the log file. Turning up the log level to TRACE
> resulted in lots of messages, but still nothing that looked like an error.
>
> The next extractor in the list is the IP address extractor which appears
> to be working fine.
>
> Does anyone have any suggestions on how I should go about debugging this?
>
> Iain
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/3605fee6-e5d2-4edc-8299-073ff7056447%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
