I’m trying to sort out the special characters from my canary and it’s giving me trouble with all the quotes on a single line, how do I watch for the needed text within quotes? The ports we want to alert on: “dst_port”: “22” “dst_port”: “23” “dst_port”: “5060” “dst_port”: “5061” Escaping all th…

Hello @no-good-username Perhaps this post will help. [image] Graylog search query - regex Graylog Tech Challenges try source:/“FB100D-ADV-[1-2]”/ The issue you’re having is that you need to escape the hyphens when you are searching normally, but they don’t need to be es…

So the guide is wrong? It says to escape with a backslash \ , not forward / Unable to perform search query: Elasticsearch exception [type=query_shard_exception, reason=Failed to parse query [“dst_port”\ : “5060”]]. I flipped them 'round and this passed the validator - “/“dst_port”/ : /“5060”/” B…

escape using the \ / lets Graylog know that what’s between them is a RegEx. edit LMAO… had to esc the escape character for it to post… apologies for the confusion.

Like this? ,“dst_port”,: ,“5060”, OR ,“dst_port”,: ,“22”, If so, I get alerts for portscans for the top100 range tried, not specifically just :22 or :5060

@no-good-username apologies for the added confusion… quick question… are you parsing/extracting anything from the messages into fields? Not sure why you would search for “dst_port”:“22” unless you haven’t extracted them. it can be a mouthful to parse, but it doesn’t have to be. you can use a pipe…

How to alert correctly with quotes from the endpoint log?

Graylog Central (peer support)

gsmith (GSmith) February 2, 2022, 11:24pm 3

Hello @no-good-username

Perhaps this post will help.

Topic		Replies	Views
Graylog search query - regex Graylog Tech Challenges	7	14256	January 22, 2022
Searches not populating expected results Graylog Central (peer support)	3	438	June 7, 2018
Alerting question Graylog Central (peer support)	4	793	April 5, 2018
Graylog alert message with details New to Graylog Community? READ-ME FIRST Guides	0	64	June 6, 2024
Graylog alert query New to Graylog Community? READ-ME FIRST Guides	0	71	June 6, 2024

How to alert correctly with quotes from the endpoint log?

Related topics