Help with gronk extractor

given following log file:
ubnt kernel: [WAN_LOCAL-default-D]IN=eth2 OUT= MAC=b4:fb:e4:8e:d4:a1:00:17:10:8d:ed:0d:08:00 SRC=46.182.109.160 DST=..32.32 LEN=60 TOS=0x08 PREC=0x00 TTL=49 ID=50603 DF PROTO=TCP SPT=45786 DPT=22000 WINDOW=42340 RES=0x00 SYN URGP=0…

trying to extract “WAN_LOCAL-default-D” the text could be different…could be “WAN_IN-default-D” or a few other varents…

i’ve been able to extract port info with this…SPT=%{NUMBER:SPORT} DPT=%{NUMBER:DPORT}
and ip’s with this SRC=%{IP:srcip} DST=%{IP:dstip}
and proto with PROTO=%{WORD:protocol}

just cant seem to figure out the best way to extract the rule

Went here to play a little bit and came up with:

%{WORD:source} %{WORD:Level}: \[%{DATA:This_Thing}\]IN=%{WORD:Ether}

Also, this guy is already extracted from the Patriots:

2 Likes

gronk…lol…that was perfect…thanks for the link, and the assit!!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.