Re: [graylog2] Re: Extractor help - domain name only

[Zoizo]

Ok I have resolved the problem (it seems).
I created two extractors, one with the condition matches regular 
expression" *GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/* and the other with *GET 
[a-z]+://[a-zA-Z0-9]{1,1000}.[a-zA-Z0-9]{2,4}/.*
Both under the same field name. It didn't create two of the same fields 
fortunately.

Thanks again Jason!

On Friday, July 15, 2016 at 8:36:13 AM UTC+4, Zoizo wrote:
>
> Hi,
>
> I tested your second regex (what I need is the two words, facebok.com) 
> and it works fine when there are three or more words, and sadly doesn't 
> when there are exactly two words (http://facebook.com for example).
> Is there a way to add an alternation to the regex, like, if the first 
> regex doesn't match any group,  try GET [a-z]+://([^/]+)/ instead ?
> I tried this : GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/ | GET [a-z]+://([^/]+)/ 
> but it says nothing will be extracted. I must have a made a syntax mistake 
> since I haven't used that before.
>
> Thanks lots!
>
> On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote:
>>
>>
>> On Wed, Jul 13, 2016 at 10:57 PM, Zoizo  wrote:
>>
>>> Well I'm a moron and forgot domain names could have more than two words 
>>> too so, I'm kinda lost as to what I can do here ^^'
>>>
>>
>> Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"
>>
>> On "facebook.com" that would match "com". Assuming that's what you want 
>> of course (I stick to "GET [a-z]+://([^/]+)/" myself)
>>
>> If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" 
>> should do that
>>
>> I know "https?" would be better - but I'm not near graylog at the moment 
>> and I don't know if it's weird Java-based regex library supports that - so 
>> I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)
>>
>>
>> -- 
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7ea553c3-0461-46d0-825e-b17ba1156f3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Extractor help - domain name only

[Zoizo]

Hi,

I tested your second regex (what I need is the two words, facebok.com) and 
it works fine when there are three or more words, and sadly doesn't when 
there are exactly two words (http://facebook.com for example).
Is there a way to add an alternation to the regex, like, if the first regex 
doesn't match any group,  try GET [a-z]+://([^/]+)/ instead ?
I tried this : GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/ | GET [a-z]+://([^/]+)/ 
but it says nothing will be extracted. I must have a made a syntax mistake 
since I haven't used that before.

Thanks lots!

On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote:
>
>
> On Wed, Jul 13, 2016 at 10:57 PM, Zoizo  > wrote:
>
>> Well I'm a moron and forgot domain names could have more than two words 
>> too so, I'm kinda lost as to what I can do here ^^'
>>
>
> Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"
>
> On "facebook.com" that would match "com". Assuming that's what you want 
> of course (I stick to "GET [a-z]+://([^/]+)/" myself)
>
> If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" 
> should do that
>
> I know "https?" would be better - but I'm not near graylog at the moment 
> and I don't know if it's weird Java-based regex library supports that - so 
> I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)
>
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/659dbe1a-9cbc-4262-b3ae-b84a4b7cfdd2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Extractor help - domain name only

[Zoizo]

Hi,

I tried your second regex (I need the two words, yes), and it works fine! 
There is one problem though, it doesn't work when there are exactly two 
words, because it does not find the first [^/]. How can I say in the regex 
that the [^/] is optionnal please ?

Thanks lots.

On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote:
>
>
> On Wed, Jul 13, 2016 at 10:57 PM, Zoizo  > wrote:
>
>> Well I'm a moron and forgot domain names could have more than two words 
>> too so, I'm kinda lost as to what I can do here ^^'
>>
>
> Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"
>
> On "facebook.com" that would match "com". Assuming that's what you want 
> of course (I stick to "GET [a-z]+://([^/]+)/" myself)
>
> If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" 
> should do that
>
> I know "https?" would be better - but I'm not near graylog at the moment 
> and I don't know if it's weird Java-based regex library supports that - so 
> I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)
>
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/92dad2a2-402b-42fc-8b69-63f8f453e749%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Extractor help - domain name only

[Zoizo]

Thanks a whole lot. I will try that at work tomorrow and update.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/95f31420-52d5-4364-9223-59206d5d6d5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Extractor help - domain name only

[Jason Haar]

On Wed, Jul 13, 2016 at 10:57 PM, Zoizo  wrote:

> Well I'm a moron and forgot domain names could have more than two words
> too so, I'm kinda lost as to what I can do here ^^'
>

Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"

On "facebook.com" that would match "com". Assuming that's what you want of
course (I stick to "GET [a-z]+://([^/]+)/" myself)

If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" should
do that

I know "https?" would be better - but I'm not near graylog at the moment
and I don't know if it's weird Java-based regex library supports that - so
I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgJLX-OvQtgu6t6M%3DSLusRU_WyhpOkDc6PA3MK_mf0v4Lg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extractor help - domain name only

[Zoizo]

Well I'm a moron and forgot domain names could have more than two words too 
so, I'm kinda lost as to what I can do here ^^'

On Wednesday, July 13, 2016 at 2:41:33 PM UTC+4, Zoizo wrote:
>
> Hello,
>
> I know this has been brought up a lot already but I didn't find a clear 
> answer.
>
> I have this template of log :
>
> pamandzi squid3: 1468405079.420 1 10.138.7.25 TCP_HIT/200 8573 GET 
> http://static.cedex.it.showroomprive.com/v3/0/_img/wait2.gif - NONE/- 
> image/gif
>
> And I have created 3 extractors for it :
>
> squid3: [0-9]{1,50}.[0-9]{1,50}[ ]{1,10}[0-9]{1,50} ([0-9.]{1,50}) => will 
> return the cient ip address. Works fine
>
> [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [a-zA-Z0-9.-/%:_=]{1,50} 
> ([0-9]{1,10}) => returns the bytes used in the request. Works fine too.
>
> My problem comes wit the last extractor. At the moment I have this :
>
> GET http://[a-zA-Z0-9-]{1,1000}.([a-zA-Z0-9-.]{1,1000})
>
> My reasonning when I created this was that most URLs I saw started with 
> one word, then there is the domain name, and  then there is all that comes 
> after the first /
> It works fine when there is exactly one word before the domain name 
> (example : http://www.facebook.com), but obviously doesn't when there is 
> none, or more that one.
>
> How can I make a regex that will take only the domain name, aka the last 
> two things before the / ?
>
> Thanks a lot.
>
>
> Ps : I know the two working reges are kinda ugly and not clean (with all 
> those {1,1000} etc). Please don't pay attention to that :S
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6d1e3622-e83f-4a6a-9489-1625870a7d94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.