Need help with draytek log extractor

DonIT · December 15, 2024, 3:31pm

For DrayTek vigor 2862 router logs I use pipeline with following rule:

rule "Draytek"
when
     has_field("message")
then 
     let fields_in_message = to_string($message.message);
     let var_our_grok_pattern = grok (pattern:"%{DATA:UWANTED}\\]\\[%{WORD:mode}\\]%{DATA:UNWANTED}%{IPV4:src_ip}:%{INT:src_port}->%{IPV4:dst_ip}:%{INT:dst_port}\\]\\[%{URIPROTO:protocol}\\]", value: fields_in_message, only_named_captures: true );
    set_fields (var_our_grok_pattern);
end

This rule works great with log message: DrayTek: Local User (MAC=xx-xx-xx-xx-xx-xx): 192.168.x.x:60736 → 195.12.xxx.xxx:443 (TCP)
But this rule does not extract information from there messages:
DrayTek: Local User (MAC=xx-xx-xx-xx-xx-xx): 192.168.x.x DNS → 1.1.1.1 inquire scs.samsungqbe.com
DrayTek: Load_balance 192.168.x --(CAH)–> 195.12.xxx.xxx go WAN2

Please help me to edit rule to extract information from messages.
I’m new graylog user so it’s very difficult to understand syntax and variables.

Topic		Replies	Views
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	3032	August 25, 2019
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	634	May 25, 2018
3.1 pipeline help Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	2	784	September 6, 2019
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1395	May 24, 2022
Parsing Logs On Graylog Graylog Central (peer support)	8	8336	November 17, 2017

Need help with draytek log extractor

Related topics