Am Freitag, 1. Juli 2016 10:30:54 UTC+2 schrieb kaiser:
>
> Can you try:
>
> srcIP=%{IP:srcip}
>
> then
>
> scrPort=%{NUMBER:srcport}
>
> Is there any error on those patterns?
>
> If no errors are displayed can you try:
> %{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}
>
>
>
> Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>>
>> I also tried it to escape it with the \ and / ans so on... but it does
>> not work.
>> I always geht this message when I press try:
>>
>> Attention
>> We were not able to run the grok extraction. Please check your parameters.
>>
>> See the screenshot int the attachtment.
>>
>>
>>
>>
>>
>> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>>
>>> '|' stands for a logic OR so you have to escape it with '\|'.
>>>
>>>
>>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>>> dstip}\|dstPort=%{NUMBER:dstport}
>>>
>>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>>>
>>>> Hey,
>>>>
>>>> I log my firewall logs into Graylog.
>>>>
>>>> The log File looks like this:
>>>>
>>>>
>>>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info
>>>> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
>>>> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
>>>> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
>>>> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
>>>> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
>>>> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web
>>>> browsing|target=steiermark.orf.at|content=|urlcat=Search Engines
>>>> /Portals
>>>>
>>>>
>>>> I tried to extract the fields with gork patterns, I tried it like this:
>>>>
>>>>
>>>>
>>>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>>>
>>>> But it does not work I can only extract the first field. How can I
>>>> create the pattern that I can use all Fields?
>>>> Has anyone an example for me how I can use work patterns to extract
>>>> this?
>>>>
>>>> Or is there any other extraction mechanism which is better to use to
>>>> extract this kind of date?
>>>>
>>>>
>>>>
>> <https://lh3.googleusercontent.com/-Ltf_0gQsscU/V3YZbc1LTpI/AAAAAAAAAP4/NKiARLA1CI82O_DEue824Hz1dMl9hGFSACLcB/s1600/graylog1.JPG>
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/3f972908-2d12-4943-88cb-e6646bb1b940%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
