Hello,
I’ve reviewed a few different posts on here to try and figure out how to create a regex extractor to pull an IP address from a message that is being forwarded from a client ubuntu machine into Graylog but am falling short of getting anything to successfully pass the test. Any help is greatly appreciated.
Message I am pulling from “Accepted password for admin from 192.168.1.5 port 61473 ssh2”
I have tried the following regex from another post and it does not pass the example test
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
If there is a better way of doing this such as a grok lookup let me know.
That is a valid RegEx for capturing an IP address… but it will capture things that are not valid IP addresses. 378.9.456.840 would be a valid result of that regex. but is obviously not a valid IP, so be aware of that.
This is a version of that which will only capture valid IPs
Thank you to the both of you. Did not realize that the grok patterns were that easy to use. Really appreciate the help. Its working now with the grok lookup.