Graylog - Modsecurity Audit Logs - Grokpattern

afaqbabar · December 14, 2018, 12:06pm

Hi all, I want to extract fields from modsecurity audit log, which is multiline log with sections A,B,…Z. I can merge multiline message of a single event using multiline feature in Graylog input. The result is as below:

###############################

message

–12aceb4f-A–
[14/Dec/2018:13:00:02 +0100] XAsbQiwgSSXTTqKkD3L2LQGgAAI ::1 45476 ::1 80
–12abeb4f-B–
GET / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
Accept: application/xml,application/xhtml+xml,text/html
Connection: Close

–12aceb4f-F–
HTTP/1.1 503 Service Temporarily Unavailable
Status: 503 Service Temporarily Unavailable
Retry-After: 3600
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 1130
Connection: close
Content-Type: text/html; charset=UTF-8

–12aceb4f-E–

#############################

I want to extract fields (such as Host, User-Agent, Status ) of all sections A, B … Z, of a modsecurity log. What is the most preferrable way to extract fields?

macko003 · December 14, 2018, 8:15pm

You can do on input with extractor, or someone prefer the pipelines.
You are able to use regexp or GROK to extract the fields.

blason · December 15, 2018, 2:59am

This is what my question is as well. I mean once we write extractor and save it in Graylog how do we apply this to incoming messages?

benvanstaveren · December 15, 2018, 11:15am

You don’t, once an extractor is active it will apply itself to any messages coming in on the input you’ve put the extractor on. For pipelines same story, pipeline will apply itself to any messages coming through a stream that the pipeline attaches to.

macko003 · December 15, 2018, 1:25pm

Have you tried?
http://docs.graylog.org/en/2.5/pages/extractors.html
http://docs.graylog.org/en/2.5/pages/pipelines/pipelines.html

afaqbabar · December 21, 2018, 10:28am

Hi, thanks for your reply. If I apply a Grok pattern %{GREEDYDATA} to the message, I get the following:
"
Extractor preview

GREEDYDATA

–12aceb4f-A–
"
It means only the first line is extracted. How to enable Grok pattern for multiple lines?

afaqbabar · December 21, 2018, 10:37am

Got it. I have to use (?s) to convert multiline into single line and then apply Grok Pattern:

(?s)%{GREEDYDATA}

Thanks

system · January 4, 2019, 10:37am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor help needed Graylog Central (peer support)	2	724	March 15, 2021
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	556	May 25, 2018
Parse Multiline Messages Graylog Central (peer support)	2	1027	September 9, 2020
GROK Extractor: how to match exact text and assign it to a field at the same time? Graylog Central (peer support) pipeline-rules , route-to-streampl	3	834	September 24, 2019
Parsing Logs On Graylog Graylog Central (peer support)	8	8036	November 17, 2017

Graylog - Modsecurity Audit Logs - Grokpattern

Related Topics