Hey,
I log my firewall logs into Graylog.
The log File looks like this:
<14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW
Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
dstService=|dstIF=port7.910|rule=|info=Normal Operation|
srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
content=|urlcat=Search Engines/Portals
I tried to extract the fields with gork patterns, I tried it like this:
srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
But it does not work I can only extract the first field. How can I create
the pattern that I can use all Fields?
Has anyone an example for me how I can use work patterns to extract this?
Or is there any other extraction mechanism which is better to use to
extract this kind of date?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/fb31ea47-348f-4dbf-b6e3-f389ea068e5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
