[graylog2] Re: Can't get work this regex.

Thu, 08 Dec 2016 08:37:08 -0800 

  Hi Jochen, for example this msg:

"date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* subtype=virus* 
eventtype=scanerror level=notice vd="root" *msg="File* reached uncompressed 
size limit." action=monitored service=HTTP sessionid=3723464* srcip=1.1.1.1 
dstip=2.2.2.2* srcport=17633 dstport=80 srcintf="port1" dstintf="port2" 
proto=6 direction=incoming filename="2017-calendar-template.zip" 
quarskip=No-skip 
url="http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87";
 
profile="default" user="" agent="Mozilla/5.0" 
analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050"
 
analyticssubmit=false crscore=50 crlevel=critical"

i put in bold letters all matches.

Regex: 
(srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3}

i use this online software: http://regexr.com/



Thanks.
  


On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda wrote:
>
> Hi Martin,
>
> which message should be matched by this regular expression and what should 
> be the result in your opinion?
>
> It looks a bit strange to me.
>
> Cheers,
> Jochen
>
> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote:
>>
>>
>>   Hi all, i newby on Graylog:
>>
>>   I try to get works this regex:
>>
>>
>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3}
>>>
>>   
>>   I get this error:
>>   
>> *Could not try regular expression. Make sure that it is valid.*
>>
>> *Details: Error: cannot POST http://10.10.10.10:13900/tools/regex_tester 
>> <http://10.10.10.10:13900/tools/regex_tester> (500)*
>>
>>   But, when i get test on this on line tool, works fine.
>>
>>   https://regex101.com/  (java script)
>>
>>   Any ideas?!
>>   Thanks.
>>   
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aa5d9f8f-d43d-4793-a40c-37414f1e7883%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to