Help streams-rules

Hi

I’m trying to set up streams, to search my vsftp server log, but my regular expressions don’t work.

I tried to do it this way:
message must match regular expression. (quality).
message must match regular expression (? i). * 4bio-quality. *

But streams rules always bring the wrong research
Wed Feb 3 10:02:12 2021 [pid 12017] [4bio-quality] OK LOGIN: Client “:: ffff: 66.70.176.89”
Wed Feb 3 09:29:59 2021 [pid 861] [usj] OK UPLOAD: Client “:: ffff: 201.48.118.121”, “/ OTHERS / OTHERS_23259_12503132369_ANTONIO DE OLIVEIRA NASCIMENTO ___ 04052005_WORKIMAGE_0002.TIF”, 13251 bytes, 167.3 bytes

Not only bring the messages I want “4bio-quality”

image1231×144 23.3 KB

Your regex is wrong. You use unsupported regex, graylog uses java regex syntax and don’t know (?i). If you want to only find text in message, you can simply use message contains condition.

To test regex, use java online regex like this one:
https://www.freeformatter.com/java-regex-tester.html

Hi

I had tested it with the freeformatter and it works, but not on Graylog.

I’m setting it up this way

As suggested by shoothub, why do you use a regex if you only need to check if logs contain the string “4bio-quality” ?
If you really want to use a regex, I would use [4bio-quality]
If sometimes it’s uppercase you can use (?i)[4bio-quality]
I have already tested (?i) and it works in Graylog.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.