Hello James, There were quite a few changes on the pipelines for 2.1.0, so I was trying to reproduce this issue in 2.1.0-beta.3 but I couldn't. Could you please take a look and see if you still have the same problem in the latest beta? Here is the link if you want to take a look: https://www.graylog.org/blog/65-announcing-graylog-2-1-0-beta-3
Thank you, Edmundo > On 16 Aug 2016, at 08:44, [email protected] wrote: > > I have the following setup: > > 1 source > 3 streams (iptables events, snort events, ssh events) > 3 pipeline rules (iptables extraction, snort extraction, ssh extraction) > 3 pipelines (iptables pipeline, snort pipeline, ssh pipeline) > > I have the rules set so the streams do basic matching of events to segregate > the events out. The streams are working as expected, attached to each stream > is it's relevant pipeline using the relevant rule. The problem is I'm running > regex inside each one of those rules and the regex *always* fails to match > for some reason and I can't figure out why... > > This is going to extract fields using regex and then set them for later > usage... > > rule "Extract IPTables Lines" > when > has_field("message") > then > let m = regex(".+IPTABLES.+", to_string($message.message)); > set_field("regex_match", to_bool(m.matches)); > set_field("iptables_log", true); > end > > You can see the iptables_log is true so that means the pipeline ran, but for > some reason the regex_match is false. m.matches is supposed to be a boolean > if the regex matches... but for some reason I have to specify to_bool > anyways. > > 794b4791-637c-11e6-ab8c-16dff8cfb115 > > Received by > appliance-syslog-udp on 8b8e4765 / graylog > Stored in index > graylog_4 > Routed into streams > • IPTables Events > application_name > > kernel > dst_port > > 0 > facility > > kernel > from_syslog > > true > full_message > > <4>1 2016-08-16T01:41:34.348638-05:00 firewall kernel - - - [4094678.196992] > IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > icmp_code > > 0 > icmp_type > > 0 > iptables_log > > true > level > > 4 > message > > [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > regex_match > > false > source > > firewall > src_port > > 0 > timestamp > > 2016-08-16T06:41:34.348Z > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/56a7ea3b-103a-4eeb-8a3f-1c9146046bc9%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/65949A3F-B752-4E99-BA25-9425DD527EC5%40graylog.com. For more options, visit https://groups.google.com/d/optout.
