Filtering proxy domains


#1

Hello,

we integrating at the moment graylog to our structure. Now we would like to log our proxy squid. Now we have one problem.

The domain is show´n as „example.google.com“ instead of „google.com“ . Is there a way to filter the domain?

Or how does the extractor look like?

Best regards


(Jochen) #2

Which domain? Please elaborate on what you’re trying to accomplish.

This being said, there’s a content pack for Squid on the Graylog Marketplace: https://marketplace.graylog.org/addons/bd3efa5f-6ccb-47ce-97ea-6ebe0270a9c7


#3

If you mean you you have a field called “domain” that contains example.google.com and you want to get rid of everything before the first stop, you can try creating a regex extractor for the field

try
.*?\.(.*?)
as a regex (try the Try-button to see if it produces what you want).

Then make the extractor save the result in the field domain (you can overwrite the field with an extractor).