[graylog2] Re: help with Gork pattern

Fri, 01 Jul 2016 00:20:07 -0700 

I also tried it to escape it with the \ and / ans so on... but it does not 
work.
I always geht this message when I press try:

Attention
We were not able to run the grok extraction. Please check your parameters.

See the screenshot int the attachtment.





Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>
> '|' stands for a logic OR so you have to escape it with '\|'.
>
>
> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
> dstip}\|dstPort=%{NUMBER:dstport}
>
> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>
>> Hey,
>>
>> I log my firewall logs into Graylog.
>>
>> The log File looks like this:
>>
>>
>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
>> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
>> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
>> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
>> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
>> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
>> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
>> content=|urlcat=Search Engines/Portals
>>
>>
>> I tried to extract the fields with gork patterns, I tried it like this:
>>
>>
>>
>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>
>> But it does not work I can only extract the first field. How can I create 
>> the pattern that I can use all Fields?
>> Has anyone an example for me how I can use work patterns to extract this?
>>
>> Or is there any other extraction mechanism which is better to use to 
>> extract this kind of date?
>>
>>
>>
<https://lh3.googleusercontent.com/-Ltf_0gQsscU/V3YZbc1LTpI/AAAAAAAAAP4/NKiARLA1CI82O_DEue824Hz1dMl9hGFSACLcB/s1600/graylog1.JPG>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/108c1163-0f27-453f-94e5-e4c94e8785e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to