Hi all,
I have read the documentation but i’m not excatly sure what im looking for is called. I call it indexing a message.
What I have is this message:
I would like to sort a search string so i get a list of all different categories after cat_name= within the “” - in this example its Network protocols.
Could someone either help me with the syntax or point me in the right direction?
to explain further.
the rule in question is a firewall alert when application filter is triggered. The alert is based on kategories like “p2p file transfere” is torrent and ftp and such i belive.
I would like to monitor if any of these kategories are denied and allowed i would like to sort it on a per device if possible
so by clicking on a message from a firewall i got the option to “split and index” which makes a extractor where i can index specific entries in the messege. so i could say i want to index what comes after msg= and it would index what was after that.
This is what i need.
but my problem now is that every piece of information in the log is seperated by space and its not allways the same.
So say i want to index the source IP of the log message. and i sort by space and jump 10 rows ahead to the source ip in the log i get what i want. but the next log message may not have as much information as the former one which mean now the source ip is number 8 when sorting by space.
can i do a more advanced sorting like perhaps look for number dot number dot number dot number? or something like that?
I tried pipelines but thats just way to complex for my needs atm. I’m still new at Graylog.
I really like the extractor because i can do try and see what happens and because they show as filters in the search. I’m sure there is a way to get pipelines in the filters as well but extractors just looks more what i need. Also the documentation states that extractors was specificly made for syslog messenges which is the only messenges i get in my graylog atm.
I tried with the regular expression extractor instead.
I took this expression:
(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})...)(?![0-9])
which i took from the graylog documentation of grok extractors and tried to “try” it on a messge that contained a IP.
I got the error regular expression does not contain any matcher group extract.
I also googled and tried some other ways to express a IPv4 address but i keep getting the same error.
I read the documentation but i’m not seeing what i’m doing wrong. It looks pretty simple to me? maybe im stating my regular expression wrong?
Hi @shoothub
I did find the content pack but found it a problem to use since we use docker for our graylog setup. since we have to store a CSV file in /graylog we would need to store the entire graylog installtion on the host which to me made little sense.
correct me if im wrong.
I haven’t found the grok patterns though.
When i read the documentation its specificly says that extractors was made to handle syslog messenges. We intent only to use graylog for syslog. and not only watchguard.
I’m love the saying “give a man fish and his fed for one day, teach a man to fish and he will be fed an entire life”
so i would like to learn how to use the extractors which i’m trying to do instead of grok since extractors are what is supposed to be used for syslog it seams. and in that attempt i apparently am misunderstanding something in relation to how the regex is suppose to be implemented?
Or little update for you.
Check Named captured only
Click Try against example. This way you show see extracted fields. Name it and save with Create Extractor. Done. Continue with another type of message.
You can also create GROK pattern using simulator in System - Grok pattern - Create pattern and insert Sample data and insert and test field by field. Tris way you use or create desired pattern. After that use it in extractor.