Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
Trying to create extractors
2. Describe your environment:
-
OS Information:
Debian Bullseye -
Package Version:
-
Service logs, configurations, and environment variables:
Not Appicable
3. What steps have you already taken to try and solve the problem?
Tried to create various regex’s, and use available Groks, but have I have failed.
I can get the first ip address, but I am stumped on the second ip address and the ports.
4. How can the community help?
Hi
I am a newbie using Graylog, and would welcome a bit of assistance in extracting fields from the following messages
A.
<129>Jun 13 06:34:34 DrayTek: [DOS][Block][Blocking List][45.143.200.50->255.255.255.255]
or
DrayTek: [DOS][Block][Blocking List][45.143.200.50->255.255.255.255]
The two IP address’s to be stored as new fields hackIp, ispIp for further analysis
B.
<129>Jun 11 14:27:12 DrayTek: [DOS][Block][tcp_flag, scanner=non_syn_ack_rst][2.57.122.225:3197->255.255.255.255:80][TCP][HLen=20, TLen=89, Flag=P, Seq=3197, Ack=0, Win=65535]
The two ip address’s and the associated ports
I am using the wizard to try to create the extractor on the input from the draytek, and place the extracted data into new fields
hackIp, hackPort, ispIp ispPort for further analysis
Thanks
Aimee
PS 255.255.255.255 is not my isp address
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]