Extract IPv4 from ubuntu syslog message

I’ve reviewed a few different posts on here to try and figure out how to create a regex extractor to pull an IP address from a message that is being forwarded from a client ubuntu machine into Graylog but am falling short of getting anything to successfully pass the test. Any help is greatly appreciated.

Message I am pulling from “Accepted password for admin from port 61473 ssh2”

I have tried the following regex from another post and it does not pass the example test


If there is a better way of doing this such as a grok lookup let me know.

Thank you

Look at IPV4 under system/grok patterns in Graylog…

1 Like

couple things…

That is a valid RegEx for capturing an IP address… but it will capture things that are not valid IP addresses. 378.9.456.840 would be a valid result of that regex. but is obviously not a valid IP, so be aware of that.

This is a version of that which will only capture valid IPs


As @tmacgbay mentioned, check out the groks for IPV4. and keep in mind that GROKing the IP is pretty trivial.

from %[IPV4:SrcIP]

would capture that IP.

Thank you to the both of you. Did not realize that the grok patterns were that easy to use. Really appreciate the help. Its working now with the grok lookup.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.