Need help with draytek log extractor

DonIT · December 15, 2024, 3:31pm

For DrayTek vigor 2862 router logs I use pipeline with following rule:

rule "Draytek"
when
     has_field("message")
then 
     let fields_in_message = to_string($message.message);
     let var_our_grok_pattern = grok (pattern:"%{DATA:UWANTED}\\]\\[%{WORD:mode}\\]%{DATA:UNWANTED}%{IPV4:src_ip}:%{INT:src_port}->%{IPV4:dst_ip}:%{INT:dst_port}\\]\\[%{URIPROTO:protocol}\\]", value: fields_in_message, only_named_captures: true );
    set_fields (var_our_grok_pattern);
end

This rule works great with log message: DrayTek: Local User (MAC=xx-xx-xx-xx-xx-xx): 192.168.x.x:60736 → 195.12.xxx.xxx:443 (TCP)
But this rule does not extract information from there messages:
DrayTek: Local User (MAC=xx-xx-xx-xx-xx-xx): 192.168.x.x DNS → 1.1.1.1 inquire scs.samsungqbe.com
DrayTek: Load_balance 192.168.x --(CAH)–> 195.12.xxx.xxx go WAN2

Please help me to edit rule to extract information from messages.
I’m new graylog user so it’s very difficult to understand syntax and variables.

system · December 29, 2024, 3:32pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	642	May 25, 2018
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	3061	August 25, 2019
3.1 pipeline help Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	2	787	September 6, 2019
Parsing Logs On Graylog Graylog Central (peer support)	8	8449	November 17, 2017
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1443	May 24, 2022

Need help with draytek log extractor

Related topics