This looks good now:
I added some additional fields:
%{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|srcPort=%{NUMBER:srcport}\|srcMAC=%{COMMONMAC:srcmac}\|dstIP=%{IP:dstcip}
This is my output now:
BASE10NUM52064IPV410.244.134.247dstcip10.244.134.247srcip10.244.120.16srcmac
44:1e:a1:44:f7:c8srcport52064
Is is also possible to remove the first entry?
I don't know why I get this:
BASE10NUM52064
Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M:
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to
> extract this kind of date?
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/7ee5d263-1d42-4738-ac3d-210972de3db1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
