Extracting 2 PARTS of a log line into 1 field

JTHL · March 2, 2019, 12:09am

So I have some vpn logs like :
openvpn[17451]: timmy-vpn/192.168.8.11:52533 MULTI_sva: pool returned IPv4=192.168.90.5, IPv6=(Not enabled)
openvpn[17452]: tammy-vpn/192.168.8.12:51667 MULTI_sva: pool returned IPv4=192.168.90.6, IPv6=(Not enabled)
openvpn[17453]: tommy-vpn/192.168.8.13:55875 MULTI_sva: pool returned IPv4=192.168.90.7, IPv6=(Not enabled)

I would like to generate a field populated with the username AND the IPv4. Like
“tommy-vpn 192.168.90.7”

I started down the Grok road, and got something like this to match:
^openvpn[[0-9]+]: %{USERNAME:ovpn_user}/%{IPV4}.*IPv4=%{IPV4:ovpn_ip_assigned},
It works on this Grok tester :
http://grokdebug.herokuapp.com/

I created the Grok in the place you create them in Graylog.

But in the interface to create an extractor, this Grok doesn’t seem to match anything.

And I’m starting to think the Grok thing might not be what I’m looking for.

Is there a way to grab arbitrary parts of a text log message an join them together to a field?

jan · March 2, 2019, 9:44am

with the processing pipelines and GROK your idea can bekome true. But not with the extractors.

JTHL · March 4, 2019, 4:22pm

Thanks a ton!
I started getting that feeling.

system · March 18, 2019, 4:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	608	May 25, 2018
Extract IPv4 from ubuntu syslog message Graylog Central (peer support)	4	1849	May 21, 2020
One complex grok Vs a set of regex extractors Graylog Central (peer support)	5	2056	April 20, 2020
Parsing log with Pipeline and Grok Pattern Graylog Central (peer support)	2	49	July 9, 2024
Graylog - Modsecurity Audit Logs - Grokpattern Graylog Central (peer support)	7	2263	January 4, 2019

Extracting 2 PARTS of a log line into 1 field

Related Topics