i'll read about implement pipeline. Thanks for help!
On Friday, December 9, 2016 at 4:41:04 PM UTC-3, BKeep wrote: > > Not that I know of. You may be able to accomplish something using pipeline > processors as they mature a bit more. > > Regards, > Brandon > > On Friday, December 9, 2016 at 1:34:52 PM UTC-6, Martin Germano wrote: >> >> >> BKeep, i undestand. So, to make it simple: If possible two combine two >> (or more) extractors? >> >> Thanks. >> >> On Friday, December 9, 2016 at 4:13:07 PM UTC-3, BKeep wrote: >>> >>> While regex does allow capturing from multiple groups, I don't think >>> graylog allows doing multiple group captures, at-least that's what I think >>> you are asking for. If you look under the regex field when building an >>> extractor there is a note "The regular expression used for extraction. >>> *First >>> matcher* group is used." >>> >>> I'm guessing here so correct me if I am wrong. Are you wanting to >>> visualize the connections from ip1 =>ip2? so you are looking to extract ip1 >>> and ip2 and put the results into a field? Something like connections: >>> 10.10.01.10 => 210.10.10.01? if so I don't think it is possible with using >>> a standard regex only. >>> >>> This may be helpful down the road. >>> http://www.rexegg.com/regex-quickstart.html >>> <http://www.google.com/url?q=http%3A%2F%2Fwww.rexegg.com%2Fregex-quickstart.html&sa=D&sntz=1&usg=AFQjCNEtSJFGCB1m5-73oq5JeoLG62W_aA> >>> >>> On Friday, December 9, 2016 at 11:31:43 AM UTC-6, Martin Germano wrote: >>>> >>>> >>>> >>>> Hi BKeep, i already tested the market place extrators. But i have >>>> this issue: >>>> i want to graph more than two values: For example dstip=* and srcip=* >>>> and subtype=virus action=* >>>> >>>> i can't found a regular expression >>>> >>>> Is posible? >>>> Thanks for your help >>>> >>>> On Thursday, December 8, 2016 at 4:45:37 PM UTC-3, BKeep wrote: >>>>> >>>>> I may be wrong, but that looks like a fortinet/fortigate log. Have you >>>>> tried looking at the fortigate stuff available in the marketplace for >>>>> some >>>>> examples? >>>>> >>>>> >>>>> https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 >>>>> >>>>> https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 >>>>> >>>>> <https://www.google.com/url?q=https%3A%2F%2Fmarketplace.graylog.org%2Faddons%2Fd41d3728-4722-4de6-b697-71efa579c4e2&sa=D&sntz=1&usg=AFQjCNH5z9m0xBo5GhbPXY1wIpaUPN1ILA> >>>>> >>>>> I create extractors that will run on the input where the expected logs >>>>> will flow in. >>>>> What I do to match the src ip is this >>>>> srcip="?([0-9.]+) >>>>> >>>>> What I do to match the dst ip is this >>>>> dstip="?([0-9.]+) >>>>> >>>>> Regards, >>>>> Brandon >>>>> >>>>> On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano >>>>> wrote: >>>>>> >>>>>> >>>>>> Maybe, ok i'll try it. Later i will post the expression if i get it. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda >>>>>> wrote: >>>>>>> >>>>>>> Hi Martin, >>>>>>> >>>>>>> your regular expression has to work with Java's regular expression >>>>>>> engine. >>>>>>> >>>>>>> You can use http://www.regexplanet.com/advanced/java/index.html to >>>>>>> fiddle around with the regular expression and your message. >>>>>>> >>>>>>> Cheers, >>>>>>> Jochen >>>>>>> >>>>>>> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi Jochen, for example this msg: >>>>>>>> >>>>>>>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* >>>>>>>> subtype=virus* eventtype=scanerror level=notice vd="root" >>>>>>>> *msg="File* reached uncompressed size limit." action=monitored >>>>>>>> service=HTTP sessionid=3723464* srcip=1.1.1.1 dstip=2.2.2.2* >>>>>>>> srcport=17633 dstport=80 srcintf="port1" dstintf="port2" proto=6 >>>>>>>> direction=incoming filename="2017-calendar-template.zip" >>>>>>>> quarskip=No-skip >>>>>>>> url=" >>>>>>>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>>>>>>> >>>>>>>> profile="default" user="" agent="Mozilla/5.0" >>>>>>>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>>>>>>> >>>>>>>> analyticssubmit=false crscore=50 crlevel=critical" >>>>>>>> >>>>>>>> i put in bold letters all matches. >>>>>>>> >>>>>>>> Regex: >>>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>>> >>>>>>>> i use this online software: http://regexr.com/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> which message should be matched by this regular expression and >>>>>>>>> what should be the result in your opinion? >>>>>>>>> >>>>>>>>> It looks a bit strange to me. >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Jochen >>>>>>>>> >>>>>>>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi all, i newby on Graylog: >>>>>>>>>> >>>>>>>>>> I try to get works this regex: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I get this error: >>>>>>>>>> >>>>>>>>>> *Could not try regular expression. Make sure that it is valid.* >>>>>>>>>> >>>>>>>>>> *Details: Error: cannot POST >>>>>>>>>> http://10.10.10.10:13900/tools/regex_tester >>>>>>>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>>>>>>> >>>>>>>>>> But, when i get test on this on line tool, works fine. >>>>>>>>>> >>>>>>>>>> https://regex101.com/ (java script) >>>>>>>>>> >>>>>>>>>> Any ideas?! >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d9416982-a36e-48ea-b67e-8a603253a530%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
