Extract two fields for auditing


(charlie) #1

Hi All,

I have IIS logs shipping to Graylog quite nicely. I can see the source IPs and the sc-status. What I’m trying to do is create a dashboard and search query for the following conditions:

The IP is public (I have a regular expression for this already)
The sc-status is 403.*

How can I combine these two fields? Should I be running an extractor that looks for two expressions (separated by |) or is there a search query I can write?


#2

You can put querys to the dashbord, so I think it can help for you.
https://community.graylog.org/t/search-using-regex/4331/8
Or if you would like to do it at processing time, you can do it with pipelines. If your conditions are met you can put a net field on the message, and make a search for this field.