Graylog-generic-syslog

the NEW Marketplace Content Pack
1

graylog-generic-syslog

@jkumar2001

Download from Github
View on Github
Open Issues
Stargazers

This is a generic syslog content pack for Graylog with following extractor

SSH_login_username (Regular expression)

SSH_login_username_publickey (Regular expression)

SSH_fail_source (Regular expression)

SSH_fail_username (Regular expression)

Generic_IP_Extractor (Regular expression)

Generic_IP_Extractor (Regular expression)

SSH_fail_invalid_username (Regular expression)

IPTables_Packet_Dropped_iptables_dst (Regular expression)

IPTables_Packet_Dropped_iptables_src (Regular expression)

IPTables_Packet_Dropped_iptables_dport (Regular expression)

2

Hi there,
it seems like this 7 year old extractor does not work with “newer” graylog versions.
Importing is not working and according to the open issues I am not the only one with this problem.
Do I need to import it as an extractor on my input or is this supposed to work another way?

1 Like
3

Hey @lmarien

If you posted on Github and the person does not resond back, another option would be to copy the extractor details and make you own.

"type" : "org.graylog2.inputs.syslog.udp.SyslogUDPInput",
    "global" : false,
    "extractors" : [ {
      "title" : "IPTables_Packet_Dropped_iptables_dst",
      "type" : "REGEX",
      "configuration" : {
        "regex_value" : "^.*DST=([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"
      },
      "converters" : [ ],
      "order" : 1,
      "cursor_strategy" : "COPY",
      "target_field" : "iptables_dst",
      "source_field" : "message",
      "condition_type" : "REGEX",
      "condition_value" : "([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"
    },
4

I’d like to mention, that extractors are still supported, but there are plans to EOL them in favor of pipelines and rules. Better grab the idea/rules from this content pack and transfer it into pipeline rules if you are working on it now.

2 Likes