Can't manage particular type of log (Extractof don't works)


(Noemie Teixeira) #1

Hi!
This is the first time I work with graylog (since a week, in fact) and I succeeded to configure it to show ssh connection, authentication failure, and some of that things (my logs from syslog-ng server).
But, what I want need now, is to extract a precise type of logs from my syslog.

I’m actually a student, and I work on a small French ISP.
My job is to analysed the traffic to see who make p2p, because we receive warning letter from “Hadopi”. (Also, I want to make statistic, like the IP address who is used the most bandwidth, some things like that)
I used a Mikrotik router which is configured to send log with a special prefix named “torrent”.
And all I want is to catch their IP address on the log line to show it on the graylog web interface.
This type of logs looks like that :

Apr 16 16:13:10 192.168.88.1 firewall,info torrent forward: in:ether2-master-local out:ether1-gateway, src-mac f4:6d:04:af:ea:73, proto TCP (ACK,PSH), 192.168.88.253:48776->104.25.76.32:443, NAT (192.168.88.253:48776->10.190.10.72:48776)->104.25.76.32:443, len 239

See, it’s mark with a log prefixe named “torrent”.
I want to get the IP source address in Graylog and to do it I think of Extractor.
But, as I already said, I’m new. But I try, by using existing extractor (one named Baracuda) but it don’t want to work. And I have not the option to make my own extractor.
I’m completely lost, actually.
I don’t know what to do.

Can you help me ?

Thank you.
Noémie.
PS : Sorry for my bad english. (I’m french)


(Jochen) #2

I’d recommend using a Grok extractor (or a pipeline rule) to get the relevant information out of the log message.

http://docs.graylog.org/en/2.4/pages/extractors.html#using-grok-patterns-to-extract-data


(Noemie Teixeira) #3

Thank you for your answer.
Well, I already try, by using JSON extractor and Grok too.
The fact is that when I load messages, I don’t see any of firewall,info message. SO, I can’t manage it to extract.
Maybe i’m doing things wrong (that’s certainly sure), this is why I’m a little bit lost.


(Jochen) #4

Are the log messages ingested into Graylog at all?

What type of input are you using?
What’s the complete configuration of that input?
What’s in the logs of your Graylog node?
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Noemie Teixeira) #5

The input type is TCP port 5140.
I’ll join a capture of it.

Graylog node logs is this file ? : /var/log/graylog/graylog-server/server.log

It show nothing interesting… I think. Maybe ?
(It show some things that I try, like the bind with 0.0.0.0 address ^^’… I experiment. )

Do you want it ?


(Noemie Teixeira) #6

I fixed my problem !
I configure my mikrotik to directly send his logs to my graylog (without using syslog-ng server, to then send log, etc).
And I used tcpdump to see what is happening then on the port number 5140 !
It works ! I receive my firewall info logs !

I come back to you if I cannot extract torrent + @IP source !
Thanks for the time you get to answer me.

Noémie.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.