Hi there
First I want to say how wonderful the "extractor" webpage is: it's so easy
to create AND TEST extractors...
...unfortunately the new pipelines (which I want to use as they are the
official future) don't have the same testing capacity. Can someone tell me
what's wrong with this rule: it should extract pairs of ipv4 addresses out
of any message. The pipeline shows all messages flowing through it, but
none "hit" this rule. Conversely, my existing extractor rule that does the
same thing (but with different fieldnames) is triggering just fine - so
this rule must be broken - but I lack the background in whatever
Java-nightmare this is to debug it ;-)
rule "function ExtractIPv4Pairs"
when
regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message)).matches
then
let pair =
regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message),["src","dst"]);
set_field("pipeSrcIPv4",to_ip(pair.src));
set_field("pipeDstIPv4",to_ip(pair.dst));
end
Thanks
PS: it would REALLY help if there were a bunch of sample rules that
demonstrated the fundamentals. The one example really doesn't demonstrate
enough
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/CAFChrg%2Ba7ijysDtX5MJAMqtmovLBMCgAZOZep6zNEHYX0h%2BQsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
