I'll give that a shot and post back with results. On Tuesday, August 16, 2016 at 3:54:28 AM UTC-5, Edmundo Alvarez wrote: > > Hello James, > > There were quite a few changes on the pipelines for 2.1.0, so I was trying > to reproduce this issue in 2.1.0-beta.3 but I couldn't. Could you please > take a look and see if you still have the same problem in the latest beta? > Here is the link if you want to take a look: > https://www.graylog.org/blog/65-announcing-graylog-2-1-0-beta-3 > > Thank you, > Edmundo > > > On 16 Aug 2016, at 08:44, james.de...@gmail.com <javascript:> wrote: > > > > I have the following setup: > > > > 1 source > > 3 streams (iptables events, snort events, ssh events) > > 3 pipeline rules (iptables extraction, snort extraction, ssh extraction) > > 3 pipelines (iptables pipeline, snort pipeline, ssh pipeline) > > > > I have the rules set so the streams do basic matching of events to > segregate the events out. The streams are working as expected, attached to > each stream is it's relevant pipeline using the relevant rule. The problem > is I'm running regex inside each one of those rules and the regex *always* > fails to match for some reason and I can't figure out why... > > > > This is going to extract fields using regex and then set them for later > usage... > > > > rule "Extract IPTables Lines" > > when > > has_field("message") > > then > > let m = regex(".+IPTABLES.+", to_string($message.message)); > > set_field("regex_match", to_bool(m.matches)); > > set_field("iptables_log", true); > > end > > > > You can see the iptables_log is true so that means the pipeline ran, but > for some reason the regex_match is false. m.matches is supposed to be a > boolean if the regex matches... but for some reason I have to specify > to_bool anyways. > > > > 794b4791-637c-11e6-ab8c-16dff8cfb115 > > > > Received by > > appliance-syslog-udp on 8b8e4765 / graylog > > Stored in index > > graylog_4 > > Routed into streams > > • IPTables Events > > application_name > > > > kernel > > dst_port > > > > 0 > > facility > > > > kernel > > from_syslog > > > > true > > full_message > > > > <4>1 2016-08-16T01:41:34.348638-05:00 firewall kernel - - - > [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > > icmp_code > > > > 0 > > icmp_type > > > > 0 > > iptables_log > > > > true > > level > > > > 4 > > message > > > > [4094678.196992] IPTABLES ACCEPT: IN=bond0.1200 OUT=bond0.100 > MAC=00:23:8b:a9:ee:e7:00:50:56:ab:51:ae:08:00 SRC=104.149.238.xxx > DST=64.38.207.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48 DF PROTO=TCP > SPT=53790 DPT=1935 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1 > > regex_match > > > > false > > source > > > > firewall > > src_port > > > > 0 > > timestamp > > > > 2016-08-16T06:41:34.348Z > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/56a7ea3b-103a-4eeb-8a3f-1c9146046bc9%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > >
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2f0b81cd-7e63-483f-9e61-210e3468ada5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
