[graylog2] Re: help with Gork pattern

Fri, 01 Jul 2016 06:27:34 -0700 

NUMBER is based on BASE10NUM variable

so replace NUMBER with BASE10NUM.

The same for IP is based on IPV4 and IPV6

If you have only IPV4 replace IP by IPV4


Le vendredi 1 juillet 2016 15:05:38 UTC+2, Keamas M a écrit :
>
> This looks good now:
>
> I added some additional fields:
>
>
> %{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|srcPort=%{NUMBER:srcport}\|srcMAC=%{COMMONMAC:srcmac}\|dstIP=%{IP:dstcip}
>
> This is my output now:
>
> BASE10NUM52064IPV410.244.134.247dstcip10.244.134.247srcip10.244.120.16
> srcmac44:1e:a1:44:f7:c8srcport52064
> Is is also possible to remove the first entry?
>  I don't know why I get this:
>
> BASE10NUM52064
>
>
> Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M:
>>
>> Hey,
>>
>> I log my firewall logs into Graylog.
>>
>> The log File looks like this:
>>
>>
>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
>> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
>> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
>> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
>> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
>> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
>> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
>> content=|urlcat=Search Engines/Portals
>>
>>
>> I tried to extract the fields with gork patterns, I tried it like this:
>>
>>
>>
>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>
>> But it does not work I can only extract the first field. How can I create 
>> the pattern that I can use all Fields?
>> Has anyone an example for me how I can use work patterns to extract this?
>>
>> Or is there any other extraction mechanism which is better to use to 
>> extract this kind of date?
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2e45ae1a-f647-4a94-ae40-14150664c69f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to