I have the following setup: 1 source 3 streams (iptables events, snort events, ssh events) 3 pipeline rules (iptables extraction, snort extraction, ssh extraction) 3 pipelines (iptables pipeline, snort pipeline, ssh pipeline)
I have the rules set so the streams do basic matching of events to segregate the events out. The streams are working as expected, attached to each stream is it's relevant pipeline using the relevant rule. The problem is I'm running regex inside each one of those rules and the regex *always* fails to match for some reason and I can't figure out why... This is going to extract fields using regex and then set them for later usage... rule "Extract IPTables Lines" when has_field("message") then let m = regex(".+IPTABLES.+", to_string($message.message)); set_field("regex_match", to_bool(m.matches)); set_field("iptables_log", true); end You can see the iptables_log is true so that means the pipeline ran, but for some reason the regex_match is false. m.matches is supposed to be a boolean if the regex matches... but for some reason I have to specify to_bool anyways. 794b4791-637c-11e6-ab8c-16dff8cfb115 <http://192.168.5.8/messages/graylog_4/794b4791-637c-11e6-ab8c-16dff8cfb115> Received by*appliance-syslog-udp* on 8b8e4765 / graylog <http://192.168.5.8/system/nodes/8b8e4765-b9ee-4944-8561-7ccc103b6bb2> Stored in indexgraylog_4Routed into streams - IPTables Events <http://192.168.5.8/streams/57acd2eed3a36d17821c8d79/search> application_name kernel dst_port 0 facility kernel from_syslog true full_message <4>1 2016-08-16T01:41:34.348638-05:00 firewall kernel - - - [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 icmp_code 0 icmp_type 0 iptables_log true level 4 message [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 regex_match false source firewall src_port 0 timestamp 2016-08-16T06:41:34.348Z -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/56a7ea3b-103a-4eeb-8a3f-1c9146046bc9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.