I may be wrong, but that looks like a fortinet/fortigate log. Have you tried looking at the fortigate stuff available in the marketplace for some examples?
https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 I create extractors that will run on the input where the expected logs will flow in. What I do to match the src ip is this srcip="?([0-9.]+) What I do to match the dst ip is this dstip="?([0-9.]+) Regards, Brandon On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano wrote: > > > Maybe, ok i'll try it. Later i will post the expression if i get it. > > Thanks. > > On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda wrote: >> >> Hi Martin, >> >> your regular expression has to work with Java's regular expression engine. >> >> You can use http://www.regexplanet.com/advanced/java/index.html to >> fiddle around with the regular expression and your message. >> >> Cheers, >> Jochen >> >> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>> >>> >>> Hi Jochen, for example this msg: >>> >>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* subtype=virus* >>> eventtype=scanerror level=notice vd="root" *msg="File* reached >>> uncompressed size limit." action=monitored service=HTTP sessionid=3723464* >>> srcip=1.1.1.1 dstip=2.2.2.2* srcport=17633 dstport=80 srcintf="port1" >>> dstintf="port2" proto=6 direction=incoming >>> filename="2017-calendar-template.zip" quarskip=No-skip url=" >>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>> >>> profile="default" user="" agent="Mozilla/5.0" >>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>> >>> analyticssubmit=false crscore=50 crlevel=critical" >>> >>> i put in bold letters all matches. >>> >>> Regex: >>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>> >>> i use this online software: http://regexr.com/ >>> >>> >>> >>> Thanks. >>> >>> >>> >>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>> wrote: >>>> >>>> Hi Martin, >>>> >>>> which message should be matched by this regular expression and what >>>> should be the result in your opinion? >>>> >>>> It looks a bit strange to me. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>> >>>>> >>>>> Hi all, i newby on Graylog: >>>>> >>>>> I try to get works this regex: >>>>> >>>>> >>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>> >>>>> >>>>> I get this error: >>>>> >>>>> *Could not try regular expression. Make sure that it is valid.* >>>>> >>>>> *Details: Error: cannot POST >>>>> http://10.10.10.10:13900/tools/regex_tester >>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>> >>>>> But, when i get test on this on line tool, works fine. >>>>> >>>>> https://regex101.com/ (java script) >>>>> >>>>> Any ideas?! >>>>> Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c188ebd3-46a2-4150-8cac-75b656b68975%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
