I upgraded Graylog from 2.5 to 3.0. After the upgrade everything appears to be ok, except for the fact that most of my extractors are missing. I can still see them configured in MongoDB, but there is no sign of them in the Graylog webgui. Any idea what happened or how I can fix this?
Here is a sample ASA input. Below is the json from MongoDB. Graylog input is showing no extractors listed.
{
"_id":{
"$oid":"573642aae55263250d283656"
},
"configuration":{
"expand_structured_data":false,
"recv_buffer_size":262144,
"port":10518,
"override_source":"ASA",
"force_rdns":false,
"allow_override_date":true,
"bind_address":"0.0.0.0",
"store_full_message":false
},
"content_pack":null,
"created_at":{
"$date":"2016-05-13T21:10:02.039Z"
},
"creator_user_id":"admin",
"extractors":[
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Connection Teardown ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302014): (?\u003casa_action\u003eTeardown) (?\u003casa_proto\u003eTCP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}"
},
"condition_value":"^.*: %ASA-6-302014: Teardown TCP connection",
"converters":[
],
"id":"b4b87920-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"1"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA UDP Discards",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"message",
"extractor_config":{
"grok_pattern":"^%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e710005): (?\u003casa_proto\u003eUDP) request (?\u003casa_action\u003ediscarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
},
"condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: UDP request discarded",
"converters":[
],
"id":"b4b87921-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"10"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Connection Built ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302013): (?\u003casa_action\u003eBuilt) %{NOTSPACE:asa_direction} (?\u003casa_proto\u003eTCP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} \\(%{IPV4:asa_mapped_src_ip}/%{BASE10NUM:asa_mapped_src_port}\\) to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} \\(%{IPV4:asa_mapped_dst_ip}/%{BASE10NUM:asa_mapped_dst_port}\\)"
},
"condition_value":"^.*: %ASA-6-302013: Built (.+) TCP connection",
"converters":[
],
"id":"b4b91560-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"0"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA UDP Denies",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"message",
"extractor_config":{
"grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eudp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny udp",
"converters":[
],
"id":"b4b96381-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"8"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Denies",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"message",
"extractor_config":{
"grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003etcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny tcp",
"converters":[
],
"id":"b4be93a1-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"9"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA ICMP Denies ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eicmp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip} \\(type %{BASE10NUM:asa_icmp_type}, code %{BASE10NUM:asa_icmp_code}\\) by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"condition_value":"^.*: %ASA-4-106023: Deny icmp src ",
"converters":[
],
"id":"b4be93a0-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"5"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA UDP Connection Built ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302015): (?\u003casa_action\u003eBuilt) %{NOTSPACE:asa_direction} (?\u003casa_proto\u003eUDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} \\(%{IPV4:asa_mapped_src_ip}/%{BASE10NUM:asa_mapped_src_port}\\) to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} \\(%{IPV4:asa_mapped_dst_ip}/%{BASE10NUM:asa_mapped_dst_port}\\)"
},
"condition_value":"^.*: %ASA-6-302015: Built (.+) UDP connection",
"converters":[
],
"id":"b4bff330-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"2"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Discards",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"message",
"extractor_config":{
"grok_pattern":"^%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e710005): (?\u003casa_proto\u003eTCP) request (?\u003casa_action\u003ediscarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
},
"condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: TCP request discarded",
"converters":[
],
"id":"b4bbd481-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"6"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Drops",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"message",
"extractor_config":{
"grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106015): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eTCP) %{DATA:asa_message} from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags %{DATA:tcpflags} on interface %{DATA:asa_interface_in}$"
},
"condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106015: Deny TCP",
"converters":[
],
"id":"b4bbd480-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"7"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA UDP Connection Teardown ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302016): (?\u003casa_action\u003eTeardown) (?\u003casa_proto\u003eUDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}"
},
"condition_value":"^.*: %ASA-6-302016: Teardown UDP connection",
"converters":[
],
"id":"b4c0b680-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"3"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA UDP/TCP Denies ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) %{NOTSPACE:asa_proto} src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"condition_value":"^.*: %ASA-4-106023: Deny [tu][cd]p src ",
"converters":[
],
"id":"b4c0b681-1952-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"4"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"regex",
"title":"ASA TCP Denied by security policy ",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106001): %{NOTSPACE:asa_direction} %{NOTSPACE:asa_proto} connection denied from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags (?\u003casa_flags\u003e.+) on interface %{NOTSPACE:asa_interface}"
},
"condition_value":"^.*: %ASA-2-106001: Inbound TCP connection denied",
"converters":[
],
"id":"04b21e50-1957-11e6-9b97-0050568df5d8",
"order":{
"$numberLong":"0"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"none",
"title":"ASA Login Failed",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e611102): User authentication failed:"
},
"condition_value":"",
"converters":[
],
"id":"7fba4b21-5360-11e6-8032-0050568df5d8",
"order":{
"$numberLong":"0"
}
},
{
"creator_user_id":"admin",
"source_field":"message",
"condition_type":"none",
"title":"ASA Login Success",
"type":"grok",
"cursor_strategy":"copy",
"target_field":"",
"extractor_config":{
"grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e611101): User authentication succeeded:"
},
"condition_value":"",
"converters":[
],
"id":"7fba4b20-5360-11e6-8032-0050568df5d8",
"order":{
"$numberLong":"0"
}
}
],
"global":false,
"name":"Syslog UDP",
"node_id":"35771810-181d-43ae-946b-4b555f31b4ba",
"title":"ASA",
"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput"
}
Found a bunch of errors in server.log
2019-02-20T07:02:54.687-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>611101):
2019-02-20T07:02:54.684-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>106001): (?<name0>\S+) (?<name1>\S+) connection denied from (?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](
?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name4>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?
:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name5>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) flags (?<asa_flags>.+) on interface (?<name6>\S+)
2019-02-20T07:02:54.682-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<name0>\S+) src (?<name1>\S+):(?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.]
(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) dst (?<name4>\S+):(?<name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-
9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) by access-group (?<name7>(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+
"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))
2019-02-20T07:02:54.680-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>302016): (?<asa_action>Teardown) (?<asa_proto>UDP) connection (?<name0>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) for (?<name1>\S+):(?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-
5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name4>\S+):(?<
name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[
0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) duration (?<name7>(?!<[0-9])(?<name8>(?:2[0123]|[01]?[0-9])):(?<name9>(?:[0-5][0-9]))(?::(?<name10>(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])) bytes (?<name11>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?
:\.[0-9]+)?)|(?:\.[0-9]+))))
2019-02-20T07:02:54.678-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 1421
(?<name0>(?:(?<name1>(?:(?<name2>((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-
f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\
d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{
1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\
d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]
{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?<name4>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))) %ASA-\d-(?<asa_
messageid>106015): (?<asa_action>Deny) (?<asa_proto>TCP) (?<name5>.*?) from (?<name6>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[
0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name7>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0
-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) flags (?<name10>.*?) on interface (?<name11>.*?)$
2019-02-20T07:02:54.676-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 1422
^(?<name0>(?:(?<name1>(?:(?<name2>((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa
-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?
\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]
{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?
\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9
]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?<name4>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))) %ASA-\d-(?<asa
_messageid>710005): (?<asa_proto>TCP) request (?<asa_action>discarded) from (?<name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[
0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name7>.*?):(?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])
[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))$
2019-02-20T07:02:54.674-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>302015): (?<asa_action>Built) (?<name0>\S+) (?<asa_proto>UDP) connection (?<name1>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) for (?<name2>\S+):(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4]
[0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name4>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) \((?<name
5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]
+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\) to (?<name7>\S+):(?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[
0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) \((?<name10>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0
-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name11>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\)
^
Graylog 3.0 unable to process the following grok pattern:
(?<asa_proto>UDP)
Data sample:
Feb 20 2019 07:44:35: %ASA-6-302016: Teardown UDP connection 43191210 for outside:1.1.1.1/123 to inside:2.2.2.2/123 duration 0:04:01 bytes 985
Error:
We were not able to run the grok extraction because of the following error: named capturing group is missing trailing '>' near index 6 (?<asa_proto>UDP) ^
I was able to rewrite one of the grok patterns to get it to work
Before:
ASA-\\d-(?<asa_messageid>302016): (?<asa_action>Teardown) (?<asa_proto>UDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}
After:
ASA-\d-%{WORD:asa_messageid:int}: %{WORD:asa_action} %{WORD:asa_proto} connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}
I still don’t understand why the old patterns broke in 3.0.
Hello @leftorbit23,
That should not have happened and I think it’s a bug in the product. Would you be so kind as to add an issue in our Github repository? Please add the information you kindly provided into the ticket.
Thank you!
Done. Issue submitted in Github.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.