Extract two fields for auditing

charlie · August 12, 2018, 8:45pm

Hi All,

I have IIS logs shipping to Graylog quite nicely. I can see the source IPs and the sc-status. What I’m trying to do is create a dashboard and search query for the following conditions:

The IP is public (I have a regular expression for this already)
The sc-status is 403.*

How can I combine these two fields? Should I be running an extractor that looks for two expressions (separated by |) or is there a search query I can write?

macko003 · August 14, 2018, 8:57am

You can put querys to the dashbord, so I think it can help for you.
https://community.graylog.org/t/search-using-regex/4331/8
Or if you would like to do it at processing time, you can do it with pipelines. If your conditions are met you can put a net field on the message, and make a search for this field.

Topic		Replies	Views
Search with regex for a numeric field Graylog Central (peer support)	4	2445	September 26, 2018
Subnet Search Query Graylog Central (peer support)	20	14692	December 11, 2017
Set a new Field in graylog Graylog Central (peer support) pipeline-rules	19	5470	August 28, 2022
Can you use regex to match patterns in KQL in graylog Graylog Central (peer support)	2	1173	January 10, 2022
Regex Search Issues Graylog Central (peer support)	13	3087	March 9, 2022

Extract two fields for auditing

Related topics