Extractors not working for pfsense

abadanvolek · June 27, 2022, 8:27pm

I have imported extractors.json into my input for pfsense just fine, but when you do search the messages are not parsed. I have tried multiple times with different pfsense extractors from the market place and the result is the same. The messages are not parsed.

Using:
Graylog 4.3.2
opensearch-1.3.3-1
mongodb-org-server-5.0.9
java-17-openjdk-headless-17.0.3.0.7

extractor:
greenmoss pfsense_graylog

Thank you

gsmith · June 27, 2022, 10:23pm

Hello,

Can I ask which plugin you using?

Search results for 'pfsense #marketplace' - Graylog Community

Is it possible to show an example of what has been tried and what the messages look like?

abadanvolek · June 27, 2022, 10:40pm

Hi,

I have used:

Thorough extractors for pfsense filter logs

Pfsense extractor for Graylog

https://raw.githubusercontent.com/lawrencesystems/graylog_extractors/main/pfsense_24.json

the result is the same for all

Thanks

gsmith · June 27, 2022, 10:49pm

Do you see anything in Elasticsearch and/or Graylog log files pertaining to this issue?

abadanvolek · June 27, 2022, 10:53pm

I didn’t see anything in server.log. I don’t know of any other log to look for extractor messages.

gsmith · June 27, 2022, 11:06pm

Ok, The message/log from pfsense, test the extractor, does it show any information?

Example:
Navigate to the input used, click on “Manage extractors”. Use the message ID & Index number from pfsense logs.

This should give some what an idea what’s going on and maybe show something in Graylog log file.

When troubleshooting, I would look at all the logs just incase. Here is the default file location if need be.

Default file locations

This is hard to troubleshoot with the amount of information given.

abadanvolek · June 28, 2022, 12:00am

Here is Example message:
filterlog[23052]: 113,1770008886,bce1,match,block,in,4,0x20,237,54355,0,none,6,tcp,44,193.201.9.61,xx.xx.xx.xx,48568,5249,0,S,1192601897,1024,mss

Here is the regular expression:
^.filterlog:(.)$

When I click on “Try” I get “Regular Expression did not match”. What is wrong here??

gsmith · June 28, 2022, 12:07am

Looks like you specifying filterlog in this regex. and I do not see filterlog

Example:

EDIT Correction I over looked it, I see it now

abadanvolek · June 28, 2022, 12:29am

I fixed the regular expression. now it is working.
Thank you for your help.

gsmith · June 28, 2022, 12:30am

Awesome, Glad to help troubleshoot with ya

system · July 12, 2022, 12:31am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor works in test but not on message Graylog Central (peer support)	6	924	March 3, 2019
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5949	August 22, 2020
JSON extractor not working? Graylog Central (peer support)	5	4752	September 24, 2018
pfSense Pipeline Graylog Central (peer support)	3	1191	April 19, 2019
Input Extractor Not Capture All Logs Graylog Central (peer support)	1	21	August 12, 2024

Extractors not working for pfsense

Related Topics