This is the first time I work with graylog (since a week, in fact) and I succeeded to configure it to show ssh connection, authentication failure, and some of that things (my logs from syslog-ng server).
But, what I want need now, is to extract a precise type of logs from my syslog.
I’m actually a student, and I work on a small French ISP.
My job is to analysed the traffic to see who make p2p, because we receive warning letter from “Hadopi”. (Also, I want to make statistic, like the IP address who is used the most bandwidth, some things like that)
I used a Mikrotik router which is configured to send log with a special prefix named “torrent”.
And all I want is to catch their IP address on the log line to show it on the graylog web interface.
This type of logs looks like that :
Apr 16 16:13:10 192.168.88.1 firewall,info torrent forward: in:ether2-master-local out:ether1-gateway, src-mac f4:6d:04:af:ea:73, proto TCP (ACK,PSH), 192.168.88.253:48776->220.127.116.11:443, NAT (192.168.88.253:48776->10.190.10.72:48776)->18.104.22.168:443, len 239
See, it’s mark with a log prefixe named “torrent”.
I want to get the IP source address in Graylog and to do it I think of Extractor.
But, as I already said, I’m new. But I try, by using existing extractor (one named Baracuda) but it don’t want to work. And I have not the option to make my own extractor.
I’m completely lost, actually.
I don’t know what to do.
Can you help me ?
PS : Sorry for my bad english. (I’m french)