'|' stands for a logic OR so you have to escape it with '\|'.
srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
dstip}\|dstPort=%{NUMBER:dstport}
Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to
> extract this kind of date?
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/713f8a53-1be4-48b1-9cb5-3c9e350f69d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
