I have the following setup:
1 source
3 streams (iptables events, snort events, ssh events)
3 pipeline rules (iptables extraction, snort extraction, ssh extraction)
3 pipelines (iptables pipeline, snort pipeline, ssh pipeline)
I have the rules set so the streams do basic matching of events to
segregate the events out. The streams are working as expected, attached to
each stream is it's relevant pipeline using the relevant rule. The problem
is I'm running regex inside each one of those rules and the regex *always*
fails to match for some reason and I can't figure out why...
This is going to extract fields using regex and then set them for later
usage...
rule "Extract IPTables Lines"
when
has_field("message")
then
let m = regex(".+IPTABLES.+", to_string($message.message));
set_field("regex_match", to_bool(m.matches));
set_field("iptables_log", true);
end
You can see the iptables_log is true so that means the pipeline ran, but
for some reason the regex_match is false. m.matches is supposed to be a
boolean if the regex matches... but for some reason I have to specify
to_bool anyways.
794b4791-637c-11e6-ab8c-16dff8cfb115
<http://192.168.5.8/messages/graylog_4/794b4791-637c-11e6-ab8c-16dff8cfb115>
Received by*appliance-syslog-udp* on 8b8e4765 / graylog
<http://192.168.5.8/system/nodes/8b8e4765-b9ee-4944-8561-7ccc103b6bb2>
Stored in indexgraylog_4Routed into streams
- IPTables Events
<http://192.168.5.8/streams/57acd2eed3a36d17821c8d79/search>
application_name
kernel
dst_port
0
facility
kernel
from_syslog
true
full_message
<4>1 2016-08-16T01:41:34.348638-05:00 firewall kernel - - -
[4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100
MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx
DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP
SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
icmp_code
0
icmp_type
0
iptables_log
true
level
4
message
[4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100
MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx
DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP
SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
regex_match
false
source
firewall
src_port
0
timestamp
2016-08-16T06:41:34.348Z
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/56a7ea3b-103a-4eeb-8a3f-1c9146046bc9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
