Sorry for english but I use google translate.
I started using Graylog in a short time especially to extract logs from pfSense Firewall.
I have a pfSense that acts as a Captive Portal for a college and I am needing to log the access log for a while. I made some extracts and it is taking care of me, I used the GROK that is available in the marketplace for pfSense and everything is alright.
Now I have to do some research so that I can get back what I want.
I did a search to ONLY deliver the users logged in with the date / time and ip and this is ok.
I did using the SPLIT of the “message” and when it is necessary I do the following search: _exists _: “login_user” AND NOT nginx
When I need to know an ip that was accessed I put: DestIP: “ip of destination”
I have my answers separated … now I would like to “join” the searches or I want to know which user accessed which ip
Ex. DestIP -> login_user
But I can not do it … I tried the following ways …
DestIP: “destination ip” AND _exists _: “login_user”
_exists _: “destination ip” AND NOT nginx && DestIP: “destination ip”
I’ve tried it in other ways and still can not …
I ask for the help and thank you.
Att. Rodrigo Griffo