error when creating searches


(Rodrigo Griffo) #1

Sorry for english but I use google translate.

I started using Graylog in a short time especially to extract logs from pfSense Firewall.

I have a pfSense that acts as a Captive Portal for a college and I am needing to log the access log for a while. I made some extracts and it is taking care of me, I used the GROK that is available in the marketplace for pfSense and everything is alright.

Now I have to do some research so that I can get back what I want.

I did a search to ONLY deliver the users logged in with the date / time and ip and this is ok.

I did using the SPLIT of the “message” and when it is necessary I do the following search: _exists _: “login_user” AND NOT nginx

When I need to know an ip that was accessed I put: DestIP: “ip of destination”

I have my answers separated … now I would like to “join” the searches or I want to know which user accessed which ip

Ex. DestIP -> login_user

But I can not do it … I tried the following ways …

DestIP: “destination ip” AND _exists _: “login_user”

_exists _: “destination ip” AND NOT nginx && DestIP: “destination ip”

I’ve tried it in other ways and still can not …

I ask for the help and thank you.

Att. Rodrigo Griffo


(Jochen) #2

Duplicate of Graylog Research