Hello all,
I have just started using Graylog and I am not having much of success parsing logs from snort installed on pfsense. I have followed this tutorial to point and I still don’t see individual fields as show at end of this post.
Any help/insight is appreciated.
All I see is this
Did you create a Processing pipeline and have that then connected to a stream that just holds all snort messages?
I had to change order
*System > Configurations
Also changed pipeline to use this code
rule "Extract Snort alert fields"
when
has_field("message")
then
let m = regex("\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)]: \\<(.+?)\\> \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?\\R?", to_string($message.message));
set_field("snort_alert", true);
set_field("generator_id", m["0"]);
set_field("signature_id", m["1"]);
set_field("signature_revision_id", m["2"]);
set_field("description", m["3"]);
set_field("classification", m["4"]);
set_field("priority", to_long(m["5"]));
set_field("protocol", m["7"]);
set_field("src_addr", m["8"]);
set_field("src_port", to_long(m["10"]));
set_field("dst_addr", m["11"]);
set_field("dst_port", to_long(m["13"]));
end
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.