Graylog stream extractor

veninmiha · April 6, 2020, 9:56am

HI Guys,
I’m trying to add an extractor of a stream (msg=“Gateway Anti-Virus Alert: (Cloud Id: 75044252) Browsefox-6628766-0 (Adware) blocked.”) and i want to extract from the full message only Adware, Trojan, ransomware, etc)
I have tried many options but none of them is suitable.

Any idea how to extract only that specific word?
Thanks
Laurentiu

macko003 · April 6, 2020, 10:09am

you can create extractors to inputs, you can’t do on a stream.
Use regexp.

veninmiha · April 6, 2020, 10:15am

i already tried to create an extractor but maybe because of my lack of knowledge, it doesn’t work
msg=%{WORD:}

macko003 · April 6, 2020, 10:38am

you can see many-many examples in the community.

shoothub · April 6, 2020, 2:58pm

Try to use this grok:

msg="%{GREEDYDATA:UNWANTED}: \(%{GREEDYDATA:UNWANTED}: %{BASE10NUM:UNWANTED}\) %{GREEDYDATA:UNWANTED} \(%{WORD:virus-type}\)

And read doc, to undestand:
https://docs.graylog.org/en/3.2/pages/extractors.html#using-grok-patterns-to-extract-data

veninmiha · April 8, 2020, 10:34am

i have create a grok pattern like adware|ransomware|trojan etc and than i have create extractor to full message with %{name _grock patter:action} and it worked.

thanks for your inputs

system · April 22, 2020, 10:34am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor help needed Graylog Central (peer support)	2	814	March 15, 2021
Connecting an extractor to a input Graylog Central (peer support)	7	2048	September 12, 2018
A Question about Extractors and Inputs Graylog Central (peer support)	2	877	September 4, 2017
GROK Extractor: how to match exact text and assign it to a field at the same time? Graylog Central (peer support) pipeline-rules , route-to-streampl	3	898	September 24, 2019
How to apply my custom extractors for incoming messages? Graylog Central (peer support) sidecar , filebeat-windows	5	824	November 26, 2018

Graylog stream extractor

Related topics