Cannot search IP addresses?


I have just setup an Ubuntu server with graylog and feeding logs from 2 pfSense Firewalls to it.

Here’s an example of the message retrieved:

“filterlog[14399]: 131,1589461236,igb3,match,pass,in,4,0x0,127,43658,0,DF,6,tcp,52,,,58684,443,0,S,1901707583,65280,mss;nop;wscale;nop;nop;sackOK”

I can do a search for for example: pass/block or udp/tcp - however I’m not able to search for the IP adresses? The results just come up blank.

The pfSense is sending RFC 3164 format.

I have tried to create the Graylog input as both “Syslog UDP” and “Raw/Plaintext UDP” - but this does not change behaviour - I cannot search the IP address?

My setup - new install:
Ubuntu 20.04.3
Graylog 4.2.6-1
Elasticsearch-oss 7.10.2
Mongodb 3.6.9

Any ideas?

Update: seems I cannot search port number either - so maybe something with numeric values?

There was another post int he community about searching for IP addresses here… That will probably get you where you want to go.

Thanks for the suggestion - I’ll have a look at this to get a better understanding

Actually changing the log format on the pfSense to RFC 5424 did the trick - I can now search IP addresses as expected.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.