Best way to extract IPv4 addresses in a pipeline?


(Jason Haar) #1

Hi there

I want graylog to auto-parse incoming syslog messages and extract srcIP/dstIP pairs. So I came up with this

rule "function ExtractIPv4Pairs"
when
    regex(".*[^0-9a-zA-Z]([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})[^0-9a-zA-Z].*",to_string($message.message)).matches
then
    let pair =  regex(".*[^0-9a-zA-Z]([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})[^0-9a-zA-Z].*",to_string($message.message),["src","dst"]);
    set_field("pipeSrcIPv4",to_ip(pair.src));
    set_field("pipeDstIPv4",to_ip(pair.dst));
end

That works fine - except it can match “1.2.333.4” - which is not a valid IP address. This then generates java crash dumps in the server logs as it isn’t parsable/etc

So what I really need to do is ensure each of those quads are between 0 and 255, etc

Does anyone have a “pure” way of extracting IPv4 (IPv6 too would be great) within a pipeline function?

Thanks
Jason


(Jochen) #2

You could use a Grok pattern or at least take a look at how the IPV4 Grok pattern has been defined:


(Jason Haar) #3

OK, good point, I could have googled “ipv4 regex” instead of wasting this lists time :wink:


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.