<https://lh3.googleusercontent.com/-OK7-68fL8I8/V3ZD-tkj5cI/AAAAAAAAAQM/ofREJyly6SQ0TaH0rtIsn_drG5PqLoqfgCLcB/s1600/Graylog2.jpg>
Hi,
sorry no success with this:
If I do the single statements it works. If I do it with "/|" i only get the
second field like "srcPort"
Also the %{GREEDYDATA:UNWANTED} did not match:
Check the screenshot.
Any other way or should I trie another extractor if yes which?
Maybe regular expressions? Can you please tell me how it will look with
another one which I can try?
>
> Am Freitag, 1. Juli 2016 10:30:54 UTC+2 schrieb kaiser:
>>
>> Can you try:
>>
>> srcIP=%{IP:srcip}
>>
>> then
>>
>> scrPort=%{NUMBER:srcport}
>>
>> Is there any error on those patterns?
>>
>> If no errors are displayed can you try:
>> %{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}
>>
>>
>>
>> Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>>>
>>> I also tried it to escape it with the \ and / ans so on... but it does
>>> not work.
>>> I always geht this message when I press try:
>>>
>>> Attention
>>> We were not able to run the grok extraction. Please check your
>>> parameters.
>>>
>>> See the screenshot int the attachtment.
>>>
>>>
>>>
>>>
>>>
>>> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>>>
>>>> '|' stands for a logic OR so you have to escape it with '\|'.
>>>>
>>>>
>>>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>>>> dstip}\|dstPort=%{NUMBER:dstport}
>>>>
>>>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>>>>
>>>>> Hey,
>>>>>
>>>>> I log my firewall logs into Graylog.
>>>>>
>>>>> The log File looks like this:
>>>>>
>>>>>
>>>>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info
>>>>> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
>>>>> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
>>>>> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
>>>>> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
>>>>> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
>>>>> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web
>>>>> browsing|target=steiermark.orf.at|content=|urlcat=Search Engines
>>>>> /Portals
>>>>>
>>>>>
>>>>> I tried to extract the fields with gork patterns, I tried it like this:
>>>>>
>>>>>
>>>>>
>>>>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>>>>
>>>>> But it does not work I can only extract the first field. How can I
>>>>> create the pattern that I can use all Fields?
>>>>> Has anyone an example for me how I can use work patterns to extract
>>>>> this?
>>>>>
>>>>> Or is there any other extraction mechanism which is better to use to
>>>>> extract this kind of date?
>>>>>
>>>>>
>>>>>
>>> <https://lh3.googleusercontent.com/-Ltf_0gQsscU/V3YZbc1LTpI/AAAAAAAAAP4/NKiARLA1CI82O_DEue824Hz1dMl9hGFSACLcB/s1600/graylog1.JPG>
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/739d5c61-32d4-4a5c-9b8c-129aa3e8762c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
