Newb grok pattern matching assistance


(Greg Terkanian) #1

So I attempted to use some of the firepower extractors from marketplace, and they seem incomplete or non-functional for my 6.2.2 Firepower components, so I decided to create/edit them myself. I think I understand the pattern matching regex pretty well. The problem is it just doesn’t seem to be matching the optional group at the end of the string. Here is an example of when the "URL: " field is present:

(examples removed due to new user url restrictions)

I think ideally I’d like to use just a generic key/value extraction function that matches these delimiters (I see a lot of examples for the kv plugin for logstash, but can’t seem to find examples for graylog), since the connection event table for Firepower seems to have a lot of optional fields. An example of this would be mucho appreciated. I believe this would be done with set_fields(key_value())??

PS
If I posted wrong or in the wrong place, I apologize.

Thanks.


(Greg Terkanian) #2

Message (syslog):
RECFPWR1 SFIMS: Protocol: TCP, SrcIP: 172.18.24.11, OriginalClientIP: ::, DstIP: 23.10.240.161, SrcPort: 61618, DstPort: 80, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, DE: Primary Detection Engine (3a91ecde-2f28-11e7-a2c4-a1374b6fcca6), Policy: REC Access Control Policy, ConnectType: End, AccessControlRuleName: Default Rule, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36, Client: Chrome, ClientVersion: 67.0.3396.87, ApplicationProtocol: HTTP, WebApplication: AccuWeather, InitiatorPackets: 6, ResponderPackets: 5, InitiatorBytes: 935, ResponderBytes: 884, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, HTTPResponse: 304, HTTPReferer: http://premiuma.accuweather.com/premium/radar.asp?LocationID=23226_PC&display=0&site=wi_&level=state&anim=1, ReferencedHost: admin.brightcove.com, URLCategory: Unknown, URLReputation: Risk unknown, URL: http://admin.brightcove.com/js/BrightcoveExperiences.js


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.