Graylog 3.0 upgrade - Extractors missing

leftorbit23 · February 20, 2019, 12:13pm

I upgraded Graylog from 2.5 to 3.0. After the upgrade everything appears to be ok, except for the fact that most of my extractors are missing. I can still see them configured in MongoDB, but there is no sign of them in the Graylog webgui. Any idea what happened or how I can fix this?

leftorbit23 · February 20, 2019, 12:18pm

Here is a sample ASA input. Below is the json from MongoDB. Graylog input is showing no extractors listed.

{  
   "_id":{  
      "$oid":"573642aae55263250d283656"
   },
   "configuration":{  
      "expand_structured_data":false,
      "recv_buffer_size":262144,
      "port":10518,
      "override_source":"ASA",
      "force_rdns":false,
      "allow_override_date":true,
      "bind_address":"0.0.0.0",
      "store_full_message":false
   },
   "content_pack":null,
   "created_at":{  
      "$date":"2016-05-13T21:10:02.039Z"
   },
   "creator_user_id":"admin",
   "extractors":[  
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Connection Teardown ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302014): (?\u003casa_action\u003eTeardown) (?\u003casa_proto\u003eTCP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}"
         },
         "condition_value":"^.*: %ASA-6-302014: Teardown TCP connection",
         "converters":[  

         ],
         "id":"b4b87920-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"1"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA UDP Discards",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"message",
         "extractor_config":{  
            "grok_pattern":"^%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e710005): (?\u003casa_proto\u003eUDP) request (?\u003casa_action\u003ediscarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
         },
         "condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: UDP request discarded",
         "converters":[  

         ],
         "id":"b4b87921-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"10"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Connection Built ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302013): (?\u003casa_action\u003eBuilt) %{NOTSPACE:asa_direction} (?\u003casa_proto\u003eTCP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} \\(%{IPV4:asa_mapped_src_ip}/%{BASE10NUM:asa_mapped_src_port}\\) to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} \\(%{IPV4:asa_mapped_dst_ip}/%{BASE10NUM:asa_mapped_dst_port}\\)"
         },
         "condition_value":"^.*: %ASA-6-302013: Built (.+) TCP connection",
         "converters":[  

         ],
         "id":"b4b91560-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"0"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA UDP Denies",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"message",
         "extractor_config":{  
            "grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eudp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
         },
         "condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny udp",
         "converters":[  

         ],
         "id":"b4b96381-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"8"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Denies",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"message",
         "extractor_config":{  
            "grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003etcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
         },
         "condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny tcp",
         "converters":[  

         ],
         "id":"b4be93a1-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"9"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA ICMP Denies ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eicmp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip} \\(type %{BASE10NUM:asa_icmp_type}, code %{BASE10NUM:asa_icmp_code}\\) by access-group %{QUOTEDSTRING:asa_accesslist}"
         },
         "condition_value":"^.*: %ASA-4-106023: Deny icmp src ",
         "converters":[  

         ],
         "id":"b4be93a0-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"5"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA UDP Connection Built ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302015): (?\u003casa_action\u003eBuilt) %{NOTSPACE:asa_direction} (?\u003casa_proto\u003eUDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} \\(%{IPV4:asa_mapped_src_ip}/%{BASE10NUM:asa_mapped_src_port}\\) to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} \\(%{IPV4:asa_mapped_dst_ip}/%{BASE10NUM:asa_mapped_dst_port}\\)"
         },
         "condition_value":"^.*: %ASA-6-302015: Built (.+) UDP connection",
         "converters":[  

         ],
         "id":"b4bff330-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"2"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Discards",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"message",
         "extractor_config":{  
            "grok_pattern":"^%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e710005): (?\u003casa_proto\u003eTCP) request (?\u003casa_action\u003ediscarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
         },
         "condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: TCP request discarded",
         "converters":[  

         ],
         "id":"b4bbd481-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"6"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Drops",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"message",
         "extractor_config":{  
            "grok_pattern":"%{IPORHOST:asa_dev} %ASA-\\d-(?\u003casa_messageid\u003e106015): (?\u003casa_action\u003eDeny) (?\u003casa_proto\u003eTCP) %{DATA:asa_message} from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags %{DATA:tcpflags} on interface %{DATA:asa_interface_in}$"
         },
         "condition_value":"(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106015: Deny TCP",
         "converters":[  

         ],
         "id":"b4bbd480-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"7"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA UDP Connection Teardown ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e302016): (?\u003casa_action\u003eTeardown) (?\u003casa_proto\u003eUDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}"
         },
         "condition_value":"^.*: %ASA-6-302016: Teardown UDP connection",
         "converters":[  

         ],
         "id":"b4c0b680-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"3"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA UDP/TCP Denies ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106023): (?\u003casa_action\u003eDeny) %{NOTSPACE:asa_proto} src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
         },
         "condition_value":"^.*: %ASA-4-106023: Deny [tu][cd]p src ",
         "converters":[  

         ],
         "id":"b4c0b681-1952-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"4"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"regex",
         "title":"ASA TCP Denied by security policy ",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e106001): %{NOTSPACE:asa_direction} %{NOTSPACE:asa_proto} connection denied from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags (?\u003casa_flags\u003e.+)  on interface %{NOTSPACE:asa_interface}"
         },
         "condition_value":"^.*: %ASA-2-106001: Inbound TCP connection denied",
         "converters":[  

         ],
         "id":"04b21e50-1957-11e6-9b97-0050568df5d8",
         "order":{  
            "$numberLong":"0"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"none",
         "title":"ASA Login Failed",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e611102): User authentication failed:"
         },
         "condition_value":"",
         "converters":[  

         ],
         "id":"7fba4b21-5360-11e6-8032-0050568df5d8",
         "order":{  
            "$numberLong":"0"
         }
      },
      {  
         "creator_user_id":"admin",
         "source_field":"message",
         "condition_type":"none",
         "title":"ASA Login Success",
         "type":"grok",
         "cursor_strategy":"copy",
         "target_field":"",
         "extractor_config":{  
            "grok_pattern":"%ASA-\\d-(?\u003casa_messageid\u003e611101): User authentication succeeded:"
         },
         "condition_value":"",
         "converters":[  

         ],
         "id":"7fba4b20-5360-11e6-8032-0050568df5d8",
         "order":{  
            "$numberLong":"0"
         }
      }
   ],
   "global":false,
   "name":"Syslog UDP",
   "node_id":"35771810-181d-43ae-946b-4b555f31b4ba",
   "title":"ASA",
   "type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput"
}

Found a bunch of errors in server.log

2019-02-20T07:02:54.687-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>611101):

2019-02-20T07:02:54.684-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>106001): (?<name0>\S+) (?<name1>\S+) connection denied from (?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](
?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name4>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?
:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name5>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) flags (?<asa_flags>.+)  on interface (?<name6>\S+)

2019-02-20T07:02:54.682-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<name0>\S+) src (?<name1>\S+):(?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.]
(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) dst (?<name4>\S+):(?<name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-
9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) by access-group (?<name7>(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+
"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))


2019-02-20T07:02:54.680-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>302016): (?<asa_action>Teardown) (?<asa_proto>UDP) connection (?<name0>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) for (?<name1>\S+):(?<name2>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-
5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name3>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name4>\S+):(?<
name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[
0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) duration (?<name7>(?!<[0-9])(?<name8>(?:2[0123]|[01]?[0-9])):(?<name9>(?:[0-5][0-9]))(?::(?<name10>(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])) bytes (?<name11>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?
:\.[0-9]+)?)|(?:\.[0-9]+))))


2019-02-20T07:02:54.678-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 1421
(?<name0>(?:(?<name1>(?:(?<name2>((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-
f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\
d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{
1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\
d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]
{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?<name4>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))) %ASA-\d-(?<asa_
messageid>106015): (?<asa_action>Deny) (?<asa_proto>TCP) (?<name5>.*?) from (?<name6>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[
0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name7>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0
-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) flags (?<name10>.*?) on interface (?<name11>.*?)$

2019-02-20T07:02:54.676-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 1422
^(?<name0>(?:(?<name1>(?:(?<name2>((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa
-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?
\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]
{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?
\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9
]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?<name4>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))) %ASA-\d-(?<asa
_messageid>710005): (?<asa_proto>TCP) request (?<asa_action>discarded) from (?<name5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[
0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) to (?<name7>.*?):(?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])
[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))$


2019-02-20T07:02:54.674-05:00 ERROR [InputServiceImpl] Cannot build extractor from persisted data. Skipping.
java.util.regex.PatternSyntaxException: named capturing group is missing trailing '>' near index 14
%ASA-\d-(?<asa_messageid>302015): (?<asa_action>Built) (?<name0>\S+) (?<asa_proto>UDP) connection (?<name1>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) for (?<name2>\S+):(?<name3>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4]
[0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name4>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) \((?<name
5>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name6>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]
+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\) to (?<name7>\S+):(?<name8>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[
0-5]))(?![0-9]))/(?<name9>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) \((?<name10>(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0
-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))/(?<name11>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\)
              ^

Graylog 3.0 unable to process the following grok pattern:

(?<asa_proto>UDP)

Data sample:

Feb 20 2019 07:44:35: %ASA-6-302016: Teardown UDP connection 43191210 for outside:1.1.1.1/123 to inside:2.2.2.2/123 duration 0:04:01 bytes 985

Error:

We were not able to run the grok extraction because of the following error: named capturing group is missing trailing '>' near index 6 (?<asa_proto>UDP) ^

I was able to rewrite one of the grok patterns to get it to work

Before:

ASA-\\d-(?<asa_messageid>302016): (?<asa_action>Teardown) (?<asa_proto>UDP) connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}

After:

ASA-\d-%{WORD:asa_messageid:int}: %{WORD:asa_action} %{WORD:asa_proto} connection %{BASE10NUM:asa_conn_id} for %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} duration %{TIME:asa_conn_durration} bytes %{BASE10NUM:asa_conn_bytes;long}

I still don’t understand why the old patterns broke in 3.0.

edmundo · February 20, 2019, 5:00pm

Hello @leftorbit23,

That should not have happened and I think it’s a bug in the product. Would you be so kind as to add an issue in our Github repository? Please add the information you kindly provided into the ticket.

Thank you!

leftorbit23 · February 20, 2019, 5:54pm

Done. Issue submitted in Github.

system · March 6, 2019, 6:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configured Extractors disappearing Graylog Central (peer support)	9	596	September 9, 2022
Can no longer edit extractors Graylog Central (peer support)	5	1189	November 20, 2017
Upgrade of Graylog from 2.5.x to 3.x results in Graylog Central (peer support)	10	880	April 1, 2019
Where are extractor configs saved? Graylog Central (peer support)	4	1522	February 21, 2017
Can't access to Manage Extractor page with Graylog 6 Graylog Central (peer support)	1	62	May 9, 2024

Graylog 3.0 upgrade - Extractors missing

Related Topics