And you are right, it is Fortigate log. On Friday, December 9, 2016 at 2:31:43 PM UTC-3, Martin Germano wrote: > > > > Hi BKeep, i already tested the market place extrators. But i have this > issue: > i want to graph more than two values: For example dstip=* and srcip=* and > subtype=virus action=* > > i can't found a regular expression > > Is posible? > Thanks for your help > > On Thursday, December 8, 2016 at 4:45:37 PM UTC-3, BKeep wrote: >> >> I may be wrong, but that looks like a fortinet/fortigate log. Have you >> tried looking at the fortigate stuff available in the marketplace for some >> examples? >> >> >> https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 >> >> https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 >> <https://www.google.com/url?q=https%3A%2F%2Fmarketplace.graylog.org%2Faddons%2Fd41d3728-4722-4de6-b697-71efa579c4e2&sa=D&sntz=1&usg=AFQjCNH5z9m0xBo5GhbPXY1wIpaUPN1ILA> >> >> I create extractors that will run on the input where the expected logs >> will flow in. >> What I do to match the src ip is this >> srcip="?([0-9.]+) >> >> What I do to match the dst ip is this >> dstip="?([0-9.]+) >> >> Regards, >> Brandon >> >> On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano wrote: >>> >>> >>> Maybe, ok i'll try it. Later i will post the expression if i get it. >>> >>> Thanks. >>> >>> On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda >>> wrote: >>>> >>>> Hi Martin, >>>> >>>> your regular expression has to work with Java's regular expression >>>> engine. >>>> >>>> You can use http://www.regexplanet.com/advanced/java/index.html to >>>> fiddle around with the regular expression and your message. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>>>> >>>>> >>>>> Hi Jochen, for example this msg: >>>>> >>>>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* >>>>> subtype=virus* eventtype=scanerror level=notice vd="root" *msg="File* >>>>> reached uncompressed size limit." action=monitored service=HTTP >>>>> sessionid=3723464* srcip=1.1.1.1 dstip=2.2.2.2* srcport=17633 >>>>> dstport=80 srcintf="port1" dstintf="port2" proto=6 direction=incoming >>>>> filename="2017-calendar-template.zip" quarskip=No-skip url=" >>>>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>>>> >>>>> profile="default" user="" agent="Mozilla/5.0" >>>>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>>>> >>>>> analyticssubmit=false crscore=50 crlevel=critical" >>>>> >>>>> i put in bold letters all matches. >>>>> >>>>> Regex: >>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>> >>>>> i use this online software: http://regexr.com/ >>>>> >>>>> >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> >>>>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Martin, >>>>>> >>>>>> which message should be matched by this regular expression and what >>>>>> should be the result in your opinion? >>>>>> >>>>>> It looks a bit strange to me. >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>>>> >>>>>>> >>>>>>> Hi all, i newby on Graylog: >>>>>>> >>>>>>> I try to get works this regex: >>>>>>> >>>>>>> >>>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>>> >>>>>>> >>>>>>> I get this error: >>>>>>> >>>>>>> *Could not try regular expression. Make sure that it is valid.* >>>>>>> >>>>>>> *Details: Error: cannot POST >>>>>>> http://10.10.10.10:13900/tools/regex_tester >>>>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>>>> >>>>>>> But, when i get test on this on line tool, works fine. >>>>>>> >>>>>>> https://regex101.com/ (java script) >>>>>>> >>>>>>> Any ideas?! >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fbf3bd56-265e-4b91-8914-c56318468d4d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
