Graylog Research

(Rodrigo Griffo) #1

Sorry for english but I use google translate.

I started using Graylog in a short time especially to extract logs from pfSense Firewall.

I have a pfSense that acts as a Captive Portal for a college and I am needing to log the access log for a while. I made some extracts and it is taking care of me, I used the GROK that is available in the marketplace for pfSense and everything is alright.

Now I have to do some research so that I can get back what I want.

I did a search to ONLY deliver the users logged in with the date / time and ip and this is ok.

I did using the SPLIT of the “message” and when it is necessary I do the following search: _exists _: “login_user” AND NOT nginx

When I need to know an ip that was accessed I put: DestIP: “ip of destination”

I have my answers separated … now I would like to “join” the searches or I want to know which user accessed which ip

Ex. DestIP -> login_user

But I can not do it … I tried the following ways …

DestIP: “destination ip” AND _exists _: “login_user”

_exists _: “destination ip” AND NOT nginx && DestIP: “destination ip”

I’ve tried it in other ways and still can not …

I ask for the help and thank you.

Att. Rodrigo Griffo

error when creating searches
(Jan Doberstein) #2

Hej @rodrigogriffo

you might want to carefully read the part about searching of the documentation:

(Jochen) #3

Currently that’s not possible out of the box, but Graylog 3.0.0 might bring some features enabling these kind of queries.

(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.