I'll give that a shot and post back with results. On Tuesday, August 16, 2016 at 3:54:28 AM UTC-5, Edmundo Alvarez wrote: > > Hello James, > > There were quite a few changes on the pipelines for 2.1.0, so I was trying > to reproduce this issue in 2.1.0-beta.3 but I couldn't. Could you please > take a look and see if you still have the same problem in the latest beta? > Here is the link if you want to take a look: > https://www.graylog.org/blog/65-announcing-graylog-2-1-0-beta-3 > > Thank you, > Edmundo > > > On 16 Aug 2016, at 08:44, [email protected] <javascript:> wrote: > > > > I have the following setup: > > > > 1 source > > 3 streams (iptables events, snort events, ssh events) > > 3 pipeline rules (iptables extraction, snort extraction, ssh extraction) > > 3 pipelines (iptables pipeline, snort pipeline, ssh pipeline) > > > > I have the rules set so the streams do basic matching of events to > segregate the events out. The streams are working as expected, attached to > each stream is it's relevant pipeline using the relevant rule. The problem > is I'm running regex inside each one of those rules and the regex *always* > fails to match for some reason and I can't figure out why... > > > > This is going to extract fields using regex and then set them for later > usage... > > > > rule "Extract IPTables Lines" > > when > > has_field("message") > > then > > let m = regex(".+IPTABLES.+", to_string($message.message)); > > set_field("regex_match", to_bool(m.matches)); > > set_field("iptables_log", true); > > end > > > > You can see the iptables_log is true so that means the pipeline ran, but > for some reason the regex_match is false. m.matches is supposed to be a > boolean if the regex matches... but for some reason I have to specify > to_bool anyways. > > > > 794b4791-637c-11e6-ab8c-16dff8cfb115 > > > > Received by > > appliance-syslog-udp on 8b8e4765 / graylog > > Stored in index > > graylog_4 > > Routed into streams > > • IPTables Events > > application_name > > > > kernel > > dst_port > > > > 0 > > facility > > > > kernel > > from_syslog > > > > true > > full_message > > > > <4>1 2016-08-16T01:41:34.348638-05:00 firewall kernel - - - > [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > > icmp_code > > > > 0 > > icmp_type > > > > 0 > > iptables_log > > > > true > > level > > > > 4 > > message > > > > [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > > regex_match > > > > false > > source > > > > firewall > > src_port > > > > 0 > > timestamp > > > > 2016-08-16T06:41:34.348Z > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/56a7ea3b-103a-4eeb-8a3f-1c9146046bc9%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > >
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2f0b81cd-7e63-483f-9e61-210e3468ada5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
