[graylog2] Re: help with Gork pattern

Fri, 01 Jul 2016 01:31:34 -0700 

Can you try:

srcIP=%{IP:srcip} 

then 

scrPort=%{NUMBER:srcport}

Is there any error on those patterns?

If no errors are displayed can you try:
%{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}



Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>
> I also tried it to escape it with the \ and / ans so on... but it does not 
> work.
> I always geht this message when I press try:
>
> Attention
> We were not able to run the grok extraction. Please check your parameters.
>
> See the screenshot int the attachtment.
>
>
>
>
>
> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>
>> '|' stands for a logic OR so you have to escape it with '\|'.
>>
>>
>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>> dstip}\|dstPort=%{NUMBER:dstport}
>>
>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>>
>>> Hey,
>>>
>>> I log my firewall logs into Graylog.
>>>
>>> The log File looks like this:
>>>
>>>
>>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info 
>>> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
>>> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
>>> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
>>> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
>>> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
>>> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web browsing
>>> |target=steiermark.orf.at|content=|urlcat=Search Engines/Portals
>>>
>>>
>>> I tried to extract the fields with gork patterns, I tried it like this:
>>>
>>>
>>>
>>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>>
>>> But it does not work I can only extract the first field. How can I 
>>> create the pattern that I can use all Fields?
>>> Has anyone an example for me how I can use work patterns to extract this?
>>>
>>> Or is there any other extraction mechanism which is better to use to 
>>> extract this kind of date?
>>>
>>>
>>>
> <https://lh3.googleusercontent.com/-Ltf_0gQsscU/V3YZbc1LTpI/AAAAAAAAAP4/NKiARLA1CI82O_DEue824Hz1dMl9hGFSACLcB/s1600/graylog1.JPG>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1cc952ca-f635-4f61-87d1-897ed7c6eb08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to