Ntop-NG to Graylog

Im looking for some help with using graylog as my grafing system for Ntop im not great with coding and other things i know what im looking for and the results i want iv had a look at alot of guides but just cant get my head around splitting up my subject in to a meaning full break down,

Iv tried diffrent things but nothing gives me the results im looking for i need to extract a break down of the Message feild, for example it loooks like the attached

[28/01/2023 19:19:05] [ue0] [Error] [Suspicious DGA Domain][Flow][joes mobile:49364 router:53] Suspicious DGA Domain [pull-f5-tt02-infra.fcdn.us.tiktokv.com.c.worldfcdn2.com]

I am so dissapointed that i cant do this maby im just getting the sytax wrong when i try to use the extractor using grok, can any one please help, thanks even given me good pointers just to extract the web address then i can creat more extractors based on that

Thanks for reading,

Still trying here i watch a youtube video oand tryed to follow it closly but i get stuck after his discription basicly only got the first part done ue0 i cant get any further i think its these symbols thats stopping it from processing [ ] he dosent have these in his log im not sure how to ignore or pass them in grok,

iv tryed this

(5) 12. Graylog 3.0 Grok Patterns, Extractors and Pipelines || part 1 - YouTube

[re0] or [ue0] i managed to get this to pull through using the video intructions but he had none of these [] in his log
[Notice] or [Error]
[Unidirectional UDP Traffic] or [Suspicious DGA Domain]
[Address:port IP:port]
Unidirectional UDP Traffic

Hello && Welcome Joe

First - here is a link to a three part series on tracking security alerts that may be helpful. It goes more into depth than what you are initially doing but it will give you some good direction for parsing out messages and how to stage how things are handled based on the detail of the event.

With Graylog, Extractors and the Pipeline are pretty much the same thing, you can work all in one, or the other or in both. My preference is Pipelines and I always pick on @gsmith when I am asking about Extractors since he is The Batman there. Whichever way you go you will want to learn more about GROK and underlying regex - there are other tools too but knowing these will help. Also being able to test out in Graylog as well as some online testers for regex and GROK My preference would be to handle it all in pipeline rules.

GROK and regex have special characters like the [] that you need to escape if you want to use them literally. so it would be \[\] In the case of pipelines if you are embedding GROK/regex into the rule code you have to escape twice by the nature of how pipeline rules work so: \\[\\] Along the same lines when you post things in the forum here you can use the forum tool </> against what you are typing so that will look like [] … I edited you post a bit with it for clarity.

Hope that gets you started and answers some of your questions!

1 Like

Thank you for comming back and answering my questions im not a great speller but like to learn lets see where i get to with this, will keep you :+1: :+1:posted many thanks

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.