So I have my pfSense router logs being fed into my Graylog instance over Syslog UDP. I have a bunch of extractors from https://github.com/Hobadee/Graylog_Extractors_pfSense configured but they only handle the firewall logs.For all the other syslog messages pertaining to php-fpm, ssh, etc. al as examples, it’s using the application as the source. Example messages below:
php-fpm: /index.php: Successful login for user 'admin' from: 192.168.0.227
sshd[76927]: Accepted keyboard-interactive/pam for root from 192.168.0.227 port 1221 ssh2
In this message, Graylog sees the source as “php-fpm:”. So, I figured I’d try a pipeline rule that would do the trick.
rule "Change source to pfSense hostname"
when
regex(("^[a-z]\\:"), to_string($message.source)).matches == true OR
regex(("^[a-z]\\[d+\\]\\:"), to_string($message.source)).matches == true
then
set_field("source", "pfSense-Router");
end
Syntax-wise it seems to be OK, but there aren’t any messages being processed by this rule and I can’t figure out why. Any help would be awesome and appreciated 