Cannot search IP addresses?

PEP · February 21, 2022, 7:52am

Hi

I have just setup an Ubuntu server with graylog and feeding logs from 2 pfSense Firewalls to it.

Here’s an example of the message retrieved:

“filterlog[14399]: 131,1589461236,igb3,match,pass,in,4,0x0,127,43658,0,DF,6,tcp,52,10.0.28.58,104.121.236.217,58684,443,0,S,1901707583,65280,mss;nop;wscale;nop;nop;sackOK”

I can do a search for for example: pass/block or udp/tcp - however I’m not able to search for the IP adresses? The results just come up blank.

The pfSense is sending RFC 3164 format.

I have tried to create the Graylog input as both “Syslog UDP” and “Raw/Plaintext UDP” - but this does not change behaviour - I cannot search the IP address?

My setup - new install:
Ubuntu 20.04.3
Graylog 4.2.6-1
Elasticsearch-oss 7.10.2
Mongodb 3.6.9

Any ideas?

Update: seems I cannot search port number either - so maybe something with numeric values?

tmacgbay · February 21, 2022, 1:17pm

There was another post int he community about searching for IP addresses here… That will probably get you where you want to go.

PEP · February 21, 2022, 1:24pm

Thanks for the suggestion - I’ll have a look at this to get a better understanding

Actually changing the log format on the pfSense to RFC 5424 did the trick - I can now search IP addresses as expected.

system · March 7, 2022, 1:24pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pfsense Syslog issue Graylog Central (peer support)	16	3450	June 16, 2020
Finding ip addresses in message fields Graylog Central (peer support)	4	856	December 19, 2023
Pfsense Syslog Input Not Working Graylog Central (peer support)	2	967	September 28, 2020
Graylog v3.3 - simple search with numbers (usually) fail Graylog Central (peer support) pipeline-rules	5	1262	October 16, 2020
Log can received from firewall but cannot show in search Graylog Central (peer support)	5	251	September 1, 2022

Cannot search IP addresses?

Related topics