Extract IPv4 from ubuntu syslog message

Graylog Central (peer support)
1

Hello,
I’ve reviewed a few different posts on here to try and figure out how to create a regex extractor to pull an IP address from a message that is being forwarded from a client ubuntu machine into Graylog but am falling short of getting anything to successfully pass the test. Any help is greatly appreciated.

Message I am pulling from “Accepted password for admin from 192.168.1.5 port 61473 ssh2”

I have tried the following regex from another post and it does not pass the example test

[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}

If there is a better way of doing this such as a grok lookup let me know.

Thank you

2

Look at IPV4 under system/grok patterns in Graylog…

1 Like
3

couple things…

That is a valid RegEx for capturing an IP address… but it will capture things that are not valid IP addresses. 378.9.456.840 would be a valid result of that regex. but is obviously not a valid IP, so be aware of that.

This is a version of that which will only capture valid IPs

(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

As @tmacgbay mentioned, check out the groks for IPV4. and keep in mind that GROKing the IP is pretty trivial.

from %[IPV4:SrcIP]

would capture that IP.

4

Thank you to the both of you. Did not realize that the grok patterns were that easy to use. Really appreciate the help. Its working now with the grok lookup.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.