Extractor doesn't appears in field

Hi, I created a few Grok pattern extractors for Zyxel log entries.
Input is Standart Suslog input
Source string is:

<141>May 23 07:33:48 zywall-110 CEF:0|ZyXEL|ZyWALL 110|4.20(AAAA.2)|0|Access Control|5|src=172.19.5.40 dst=64.233.164.94 spt=49536 dpt=443 msg=priority:36, from LAN1 to ANY, TCP, service others, ACCEPT proto=6 app=others

I need to extract values, for example:

src=%{IPV4:Source Address}
dst=%{IPV4:Destination Address}

And it obviously works, output is:

Extractor preview

Destination Address

13.107.3.128

But doesn’t appears as fields in Search

field.PNG1881×328 31.6 KB

What I do wrong?

And another Question: Does Graylog support multiple inputs on the same Network port?

writing a grok pattern or any normalization with only a single message is nearly impossible. But I would do first a Key-Value extraction on the message or better, just use the CEF input - as this is a CEF message …

But not sure if all of your messages are CEF from that device.

For the second question: No You can only have one Input on the same Network and Port. Should you need different extractors or normalizations on messages coming in on the same input, I would advice to use the processing pipeline rules as they are more flexible on that.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.