[graylog2] regex search in file path

2016-06-30 Thread Karlis Melderis 
hi, guys
I have funny search issue
my field has string - /some/path/Login/file.txt
I can get results if I search like this - log_path:/.?*(ogin).?*/
but not like this log_path:/.?*(Login).?*/

Karlis

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/057afbbc-f4d2-40cd-ba53-39b51e1fb332%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Server currently unavailable (different from issue below)

2016-06-30 Thread Chauncey Neyman 
Hello!

So I've looked through past forums and haven't found a working solution to 
my current issue. I'm trying to develop a Graylog plugin, so I began by 
installing Graylog following the steps for Docker 
(http://docs.graylog.org/en/2.0/pages/installation/docker.html, because 
VirtualBox wouldn't work for me) and then following the steps to set up a 
web development environment 
(http://docs.graylog.org/en/2.0/pages/plugins.html#how-to-start-development). 
The server running on localhost:9000 is working perfectly, so I'm fairly 
certain localhost:12900 is functional. However, when I try running the web 
development environment (at localhost:8080) I get the following error 
message before the login page: 
 Server currently unavailable

We are experiencing problems connecting to the Graylog server running on 
*http://localhost:12900/*. Please verify that the server is healthy and 
working correctly.

You will be automatically redirected to the previous page once we can 
connect to the server.

Do you need a hand? We can help you 
.
Less details 
--

This is the last response we received from the server:
Error messageBad requestOriginal RequestGET 
http://localhost:12900/system/sessionsStatus codeundefinedFull error 
messageError: 
Request has been terminated Possible causes: the network is offline, Origin 
is not allowed by Access-Control-Allow-Origin, the page is being unloaded, 
etc.
I'd greatly appreciate any help with this issue! 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b8d053fe-e355-4c45-bc50-e441d930a9ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Geolocation not working

2016-06-30 Thread George Nussbaum 
Hello,

I just set up geolocation in graylog.  I read through the documentation and 
set up everything as stated.  I even ran the test using nc -w0 
  <<< '8.8.8.8' and that worked fine.  However, it's not 
picking up my IP's and setting latitude and longitude for them.  I have 
field types of c-ip, s-ip and X-Forwarded-For set up so I'm confused as to 
why it's not working.

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2d1ff9ad-c0ae-4d65-941e-64408e78f94c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog alerts - X-Forwarded-For showing as 'null'

2016-06-30 Thread George Nussbaum 
Hello,

I have set up alerting on one of my streams.  The alerts come through fine. 
 However, the detailed info within the alert is showing my X-Forwarded-For 
as a null value.  The values show up in a search, so I'm confused as to why 
it's doing this.

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f64d40a4-ced4-478c-8afc-08ef3fb3b140%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.0 compilation error : Cannot run program "git

2016-06-30 Thread Jochen Schalanda 
Hi Anant,

you have to make sure that the git binary is on your %PATH% environment 
(see http://blog.countableset.ch/2012/06/07/adding-git-to-windows-7-path/) 
and executable.

Please take note that we cannot give extensive support for setting up your 
development environment. You're basically on your own there.

Cheers,
Jochen

On Thursday, 30 June 2016 16:43:28 UTC+2, Anant Sawant wrote:
>
>
> Hi,
>
> I am compiling the Graylog 2.0 on windows 7 using eclipse. I am facing 
> the  issue related to "Git" as follows
>
> Failed to execute goal 
> org.codehaus.mojo:buildnumber-maven-plugin:1.4:create (default) on project 
> graylog2-server: Cannot get the revision information from the scm 
> repository :
> [ERROR] Exception while executing SCM command. Error while executing 
> command. Error while executing process. Cannot run program "git" (in 
> directory "D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
> code\graylog2-server-2.0\graylog2-server"): CreateProcess error=2, The 
> system cannot find the file specified
>
> After facing this issue for the first time I installed Git 2.9.0 on my 
> machine but still I am getting the same error. I have also added the 
> following to the system variable "C:\Program Files\Git\cmd;C:\Program 
> Files\Git\bin".
>
>
> The full track trace is as follows.
>
> [INFO] Scanning for projects...
> [INFO] 
> 
> [INFO] Reactor Build Order:
> [INFO] 
> [INFO] Graylog
> [INFO] graylog2-server
> [INFO] integration-tests
> [INFO] 
> [INFO] Using the builder 
> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder
>  
> with a thread count of 1
> [INFO]
>  
>
> [INFO] 
> 
> [INFO] Building Graylog 2.0.1-SNAPSHOT
> [INFO] 
> 
> [INFO] 
> [INFO] --- maven-clean-plugin:3.0.0:clean (default-clean) @ 
> graylog2-parent ---
> [INFO] 
> [INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
> graylog2-parent ---
> [INFO] 
> [INFO] --- build-helper-maven-plugin:1.10:parse-version (parse-version) @ 
> graylog2-parent ---
> [INFO] 
> [INFO] >>> maven-source-plugin:3.0.0:jar (attach-sources) @ 
> graylog2-parent >>>
> [INFO] 
> [INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
> graylog2-parent ---
> [INFO] 
> [INFO] <<< maven-source-plugin:3.0.0:jar (attach-sources) @ 
> graylog2-parent <<<
> [INFO] 
> [INFO] --- maven-source-plugin:3.0.0:jar (attach-sources) @ 
> graylog2-parent ---
> [INFO] 
> [INFO] --- maven-javadoc-plugin:2.10.3:jar (attach-javadocs) @ 
> graylog2-parent ---
> [INFO] Not executing Javadoc as the project is not a Java 
> classpath-capable package
> [INFO] 
> [INFO] --- maven-install-plugin:2.5.2:install (default-install) @ 
> graylog2-parent ---
> [INFO] Installing D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
> code\graylog2-server-2.0\pom.xml to 
> C:\Users\anants\.m2\repository\org\graylog2\graylog2-parent\2.0.1-SNAPSHOT\graylog2-parent-2.0.1-SNAPSHOT.pom
> [INFO]
>  
>
> [INFO] 
> 
> [INFO] Building graylog2-server 2.0.1-SNAPSHOT
> [INFO] 
> 
> [INFO] 
> [INFO] --- maven-clean-plugin:3.0.0:clean (default-clean) @ 
> graylog2-server ---
> [INFO] Deleting D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
> code\graylog2-server-2.0\graylog2-server\target
> [INFO] Deleting D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
> code\graylog2-server-2.0\graylog2-web-interface (includes = [build/**/*, 
> node_modules/**/*], excludes = [])
> [INFO] 
> [INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
> graylog2-server ---
> [INFO] 
> [INFO] --- buildnumber-maven-plugin:1.4:create (default) @ graylog2-server 
> ---
> [INFO] Executing: cmd.exe /X /C "git rev-parse --verify HEAD"
> [INFO] Working directory: D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
> code\graylog2-server-2.0\graylog2-server
> [INFO] 
> 
> [INFO] Reactor Summary:
> [INFO] 
> [INFO] Graylog ... SUCCESS [ 
> 13.072 s]
> [INFO] graylog2-server ... FAILURE [02:26 
> min]
> [INFO] integration-tests . SKIPPED
> [INFO] 
> 
> [INFO] BUILD FAILURE
> [INFO] 
> 
> [INFO] Total time: 02:39 min
> [INFO] Finished at: 2016-06-30T20:09:02+05:30
> [INFO] Final Memory: 33M/261M
> [INFO] 
> 
>

[graylog2] Graylog 2.0 compilation error : Cannot run program "git

2016-06-30 Thread Anant Sawant 

Hi,

I am compiling the Graylog 2.0 on windows 7 using eclipse. I am facing the  
issue related to "Git" as follows

Failed to execute goal 
org.codehaus.mojo:buildnumber-maven-plugin:1.4:create (default) on project 
graylog2-server: Cannot get the revision information from the scm 
repository :
[ERROR] Exception while executing SCM command. Error while executing 
command. Error while executing process. Cannot run program "git" (in 
directory "D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\graylog2-server"): CreateProcess error=2, The 
system cannot find the file specified

After facing this issue for the first time I installed Git 2.9.0 on my 
machine but still I am getting the same error. I have also added the 
following to the system variable "C:\Program Files\Git\cmd;C:\Program 
Files\Git\bin".


The full track trace is as follows.

[INFO] Scanning for projects...
[INFO] 

[INFO] Reactor Build Order:
[INFO] 
[INFO] Graylog
[INFO] graylog2-server
[INFO] integration-tests
[INFO] 
[INFO] Using the builder 
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder
 
with a thread count of 1
[INFO] 

[INFO] 

[INFO] Building Graylog 2.0.1-SNAPSHOT
[INFO] 

[INFO] 
[INFO] --- maven-clean-plugin:3.0.0:clean (default-clean) @ graylog2-parent 
---
[INFO] 
[INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
graylog2-parent ---
[INFO] 
[INFO] --- build-helper-maven-plugin:1.10:parse-version (parse-version) @ 
graylog2-parent ---
[INFO] 
[INFO] >>> maven-source-plugin:3.0.0:jar (attach-sources) @ graylog2-parent 
>>>
[INFO] 
[INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
graylog2-parent ---
[INFO] 
[INFO] <<< maven-source-plugin:3.0.0:jar (attach-sources) @ graylog2-parent 
<<<
[INFO] 
[INFO] --- maven-source-plugin:3.0.0:jar (attach-sources) @ graylog2-parent 
---
[INFO] 
[INFO] --- maven-javadoc-plugin:2.10.3:jar (attach-javadocs) @ 
graylog2-parent ---
[INFO] Not executing Javadoc as the project is not a Java classpath-capable 
package
[INFO] 
[INFO] --- maven-install-plugin:2.5.2:install (default-install) @ 
graylog2-parent ---
[INFO] Installing D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\pom.xml to 
C:\Users\anants\.m2\repository\org\graylog2\graylog2-parent\2.0.1-SNAPSHOT\graylog2-parent-2.0.1-SNAPSHOT.pom
[INFO] 

[INFO] 

[INFO] Building graylog2-server 2.0.1-SNAPSHOT
[INFO] 

[INFO] 
[INFO] --- maven-clean-plugin:3.0.0:clean (default-clean) @ graylog2-server 
---
[INFO] Deleting D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\graylog2-server\target
[INFO] Deleting D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\graylog2-web-interface (includes = [build/**/*, 
node_modules/**/*], excludes = [])
[INFO] 
[INFO] --- maven-enforcer-plugin:1.2:enforce (enforce-maven) @ 
graylog2-server ---
[INFO] 
[INFO] --- buildnumber-maven-plugin:1.4:create (default) @ graylog2-server 
---
[INFO] Executing: cmd.exe /X /C "git rev-parse --verify HEAD"
[INFO] Working directory: D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\graylog2-server
[INFO] 

[INFO] Reactor Summary:
[INFO] 
[INFO] Graylog ... SUCCESS [ 13.072 
s]
[INFO] graylog2-server ... FAILURE [02:26 
min]
[INFO] integration-tests . SKIPPED
[INFO] 

[INFO] BUILD FAILURE
[INFO] 

[INFO] Total time: 02:39 min
[INFO] Finished at: 2016-06-30T20:09:02+05:30
[INFO] Final Memory: 33M/261M
[INFO] 

[ERROR] Failed to execute goal 
org.codehaus.mojo:buildnumber-maven-plugin:1.4:create (default) on project 
graylog2-server: Cannot get the revision information from the scm 
repository :
[ERROR] Exception while executing SCM command. Error while executing 
command. Error while executing process. Cannot run program "git" (in 
directory "D:\Anant\Graylog 2.0 GA\Graylog 2.0 GA Source 
code\graylog2-server-2.0\graylog2-server"): CreateProcess error=2, The 
system cannot find the file specified
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e 
switch.
[ERROR] Re-run Maven

Re: [graylog2] Re: Graylog Does not work on AWS

2016-06-30 Thread 123Dev 
That is not true,
We have AWS image based deployment (2 graylog servers, 2 datanodes) 
(production) and one manual install (staging) all working in AWS.

REST API access part is a bit flaky and I agree it can benefit from better 
documentation / code, but Graylog folks have always been proactive and I 
constantly see doc and code updates.

If it helps you in any way, we have all Graylogs deployed in private 
subnets, and have ELB front serving (https) it publicly.
All our Graylog inputs are only accessible privately by design.

Good luck
 

On Thursday, June 30, 2016 at 5:05:18 AM UTC-4, Joshua Swanson wrote:
>
> Turns out though, that I can't - apparently one of the changes since 1.0.1 
> has made it unable to run on AWS.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a1e480f3-68b4-4802-967f-c7b18524936f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: email callback and message.source..

2016-06-30 Thread Jochen Schalanda 
Hi Stefan,

please read the previous posts I wrote in this thread and the documentation 
section I've linked to.

There is no single message object in the email body but always a collection 
of messages in the backlog variable which you have to iterate over with 
foreach.

Cheers,
Jochen

On Thursday, 30 June 2016 12:16:03 UTC+2, Stefan Krüger wrote:
>
> ok,  I am to stupid for this..
>
> the body looks like:
> ##
> Alert Description: ${check_result.resultDescription}
> Date: ${check_result.triggeredAt}
> Stream ID: ${stream.id}
> Stream title: ${stream.title}
> Stream description: ${stream.description}
> ${if stream_url}Stream URL: ${stream_url}${end}
>
> source= ${message.source}
> messagefield= ${message.fields.ssh_login_username}
> Triggered condition: ${check_result.triggeredCondition}
> ##
>
> ${if backlog}Last messages accounting for this alert:
> ${foreach backlog message}${message}
>
> ${end}${else}
> ${end}
>
> but i get:
> ##
> Alert Description: Stream received messages matching  "root"> (Current grace time: 0 minutes)
> Date: 2016-06-30T10:11:27.213Z
> Stream ID: 57692df6e4b02d1805abd229
> Stream title: ssh success logins
> Stream description: successfull ssh logins
> Stream URL: Please configure 'transport_email_web_interface_url' in your 
> Graylog configuration file.
>
> source= 
> messagefield= 
> Triggered condition: 28483061-1db9-4676-9b81-6aacc653b1f9:
> FIELD_CONTENT_VALUE={field: ssh_login_username, value: root}, stream:={
> 57692df6e4b02d1805abd229: "ssh success logins"}
> ##
>
> 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/952154b5-5932-438d-984e-e81f4b1fc4e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: email callback and message.source..

2016-06-30 Thread 'Stefan Krüger' via Graylog Users 
ok,  I am to stupid for this..

the body looks like:
##
Alert Description: ${check_result.resultDescription}
Date: ${check_result.triggeredAt}
Stream ID: ${stream.id}
Stream title: ${stream.title}
Stream description: ${stream.description}
${if stream_url}Stream URL: ${stream_url}${end}

source= ${message.source}
messagefield= ${message.fields.ssh_login_username}
Triggered condition: ${check_result.triggeredCondition}
##

${if backlog}Last messages accounting for this alert:
${foreach backlog message}${message}

${end}${else}
${end}

but i get:
##
Alert Description: Stream received messages matching  (Current grace time: 0 minutes)
Date: 2016-06-30T10:11:27.213Z
Stream ID: 57692df6e4b02d1805abd229
Stream title: ssh success logins
Stream description: successfull ssh logins
Stream URL: Please configure 'transport_email_web_interface_url' in your 
Graylog configuration file.

source= 
messagefield= 
Triggered condition: 28483061-1db9-4676-9b81-6aacc653b1f9:
FIELD_CONTENT_VALUE={field: ssh_login_username, value: root}, stream:={
57692df6e4b02d1805abd229: "ssh success logins"}
##




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a387a959-e206-4912-856c-902dd07406a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: email callback and message.source..

2016-06-30 Thread Jochen Schalanda 
Hi Stefan,

you can access any message field inside the email *body* template using the 
variables described in 
http://docs.graylog.org/en/2.0/pages/streams.html#email-alert-callback.

Cheers,
Jochen

On Thursday, 30 June 2016 10:08:03 UTC+2, Stefan Krüger wrote:
>
> Hi Jochen,
>
> sorry for my bad english.
> I've a Stream, and i want a message if root is logged in via ssh (that 
> works fine) but i want to see in the email the source/server where the 
> message come from (sshserver1, sshserver2,etc)
>
> bests
> Stefan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c0e1a48b-0733-4124-baa9-52eef361b7f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Does not work on AWS

2016-06-30 Thread Joshua Swanson 
The nginx file. I tried setting up two servers, one according to this:
http://docs.graylog.org/en/2.0/pages/installation/os/centos.html
and one according to this:
http://docs.graylog.org/en/2.0/pages/installation/aws.html

The first one, does not have nginx, but it does have rest_listen_uri,
rest_transport_uri, web_listen_uri, and web_endpoint_uri in the graylog
conf file at /etc/graylog/server/server.conf
the second one does have the file, but both of them have the same problem.

I have been using graylog2 version 1.0.1 for the past couple of years, but
recently decided it was time to upgrade. When attempting an actual upgrade
failed, I decided that I should try setting up a new server, entirely from
scratch, with the assumption that if I followed the setup instructions in
the official documentation exactly as written I would be able to get it
working. Turns out though, that I can't - apparently one of the changes
since 1.0.1 has made it unable to run on AWS.


On 29 June 2016 at 15:03, 123Dev  wrote:

> The server that I set up, does not have that file.
>
> Which file are you referring to?
> nginx.conf or graylog.conf?
>
> Yet you mention the setting, so where are you reading this setting?
> How did you setup the Graylog server? from an AWS image?
> then you should have the file.
>
> If this is your first experience with Graylog, why not start with AWS
> image?
>
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/87wfHI5nqwg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/be6c8ef4-d7f7-4a38-8ede-8c531173a3b1%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAG_VMMf%2BAJvAP6qgG4F6Bh9BfnzxKc5UGPw1DkiHN499LT%2BECg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: email callback and message.source..

2016-06-30 Thread 'Stefan Krüger' via Graylog Users 
Hi Jochen,

sorry for my bad english.
I've a Stream, and i want a message if root is logged in via ssh (that 
works fine) but i want to see in the email the source/server where the 
message come from (sshserver1, sshserver2,etc)

bests
Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8e8572d5-11a4-4090-a83b-c0dbf145785b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-06-30 Thread kaiser 
'|' stands for a logic OR so you have to escape it with '\|'.


srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
dstip}\|dstPort=%{NUMBER:dstport}

Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create 
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to 
> extract this kind of date?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/713f8a53-1be4-48b1-9cb5-3c9e350f69d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.