Grok pattern for dd-wrt syslog input


#1

I am looking for a grok pattern for a syslog feed from a dd-wrt router. Would like the message to be split into different searchable fields. Does anyone have one they would be willing to share? Is there anyway to also have Graylog convert the SRC and DST IPs to Internet domain names?

kernel: ACCEPT IN=br0 OUT= MAC=747:03:bd:6f:80:3a:4c:82:cd:ef:b2:cc:09:10 SRC=192.168.1.141 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0


(Jan Doberstein) #2

hej @Mr.Anderson

if you post more than one line it might be possible to identify how that messages are formatted. Did you already search the marketplace?

Did you tried with a generic key=value extractor or pipeline?

regards
Jan

ps: what kernel version did the dd-wrt use?


(Andrea) #3

Hi,
this is only a simple example but you can try:

kernel: %{WORD:fw_action} IN=%{DATA:fw_in} OUT=%{DATA:fw_out} MAC=%{DATA:fw_mac} SRC=%{IPORHOST:fw_src} DST=%{IPORHOST:fw_dst} LEN=%{POSINT:fw_len} TOS=%{DATA:fw_tos} PREC=%{DATA:fw_prec} TTL=%{POSINT:fw_ttl} ID=%{INT:fw_pre_id} %{GREEDYDATA} PROTO=%{WORD:fw_proto} TYPE=%{INT:fw_type} CODE=%{INT:fw_code} ID=%{INT:fw_post_id} SEQ=%{INT:fw_seq}

Remember to replace %{...} with (?:%{...}) when a field may be blank.

Tested on: http://grokdebug.herokuapp.com

Hope this helps :thinking:


#4

zionio,

Thanks for the assist. That is pretty close to what I ended up with. I finally figured out the extractor can only return one value per pattern. I am guessing this is a Graylog limitation. So I copied and created new patterns for things like source and destination IP address so they both get returned in different fields.

Some of the log entries have additional data in them between some of the fields in the example above. So there may be 2 characters like DF in-between the PREC and TTL fields. Have not quite figured out how to handle that yet, but it does not seem to be effecting the extraction. It just ignores them ad it si not data I care about.

MAC address seems to just be wrong coming from DD-WRT syslog. I get an odd number fo octets. The example above has 13 instead of 8 and 3 numbers at the start. Have not looked into that problem yet.

It appears they only solution for DNS resolution is a plugin in the market place. But it seems to no longer be supported and is only for the source field. The data I need to resolve is in the message field. Thinking at this point I script and export the data from the DB, do an NSLOOKUP, append new entries to a CSV, and leverage a lookup table. Seems like a complicated and slow process. Am I missing anything here?


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.