Pipeline preparsing

i have a log message like this:
message: Feb 24 14:52:52 vpn SSLVPN: id=sslvpn sn=004010249FA6 time=“2022-02-24 14:52:52” vp_time=“2022-02-24 13:52:52 UTC” fw=192.168.2.2 pri=5 m=18 c=101 src=93.202.89.233 dst=192.168.2.2 user=“haa69989@IK-T” usr=“haa69989@IK-T” msg=“NetExtender connected” rule=access-policy proto=NetExtender nxClientIPAddress=192.168.3.16 nxClientIPv6Address= agent=“SonicWALL NetExtender for Windows 10.2.322 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64” geoCountryID=“58” geoCountryName=“Germany” geoRegionName=“Bayern” geoCityName=“Schwandorf In Bayern”

if I wanna add a Pipeline-Rule, but it looks alike graylog is preparsing my Message. It looks like this if i add it to the rule simulation and try it out.

Feb 24 14:52:52 vpn SSLVPN:id:sslvpn sn:004010249FA6 time:2022-02-24 14:52:52 vp_time:2022-02-24 13:52:52 UTC fw:192.168.2.2 pri:5 m:18 c:101 src:93.202.89.233 dst:192.168.2.2 user:haa69989@IK-T usr:haa69989@IK-T msg:NetExtender connected rule:access-policy proto:NetExtender nxClientIPAddress:192.168.3.16 nxClientIPv6Address:agent:SonicWALL NetExtender for Windows 10.2.322 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64 geoCountryID:58 geoCountryName:Germany geoRegionName:Bayern geoCityName:Schwandorf In Bayern

Without QuotedStrings it makes for me really hard to parse the logs. Can I somehow disable this preprocessing feature?

Please use the formatting tool </> available in the post editor to make it look clearer.

put your log here

Also you just doxxed someone/yourself or a client of yours, depending on where this log comes from. In future posts, I’d advise you to hide/obfuscate public IP addresses, locations and usernames… If it’s a professional setting you may have a lot of trouble for leaking sensitive data. If it’s not, it’s still a good idea to hide/obfuscate the data. example: write an Ip address like: x.x.x.x or something.

A bit more information would be useful. By which log collector does the log arrive? What’s the original format? Is it json? What rule are you trying to create? What do you want to do?

for testing im using a script which sends the original logs to graylog via TCP.

The original Format is:

Feb 24 14:52:52 vpn SSLVPN: id=sslvpn sn=004010249FA6 time=“2022-02-24 14:52:52” vp_time=“2022-02-24 13:52:52 UTC” fw=192.168.2.2 pri=5 m=18 c=101 src=x.x.x.x dst=192.168.2.2 user=“haa69989” usr=“haa69989” msg=“NetExtender connected” rule=access-policy proto=NetExtender nxClientIPAddress=192.168.3.16 nxClientIPv6Address= agent=“SonicWALL NetExtender for Windows 10.2.322 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64” geoCountryID=“58” geoCountryName=“Germany” geoRegionName=“Bayern” geoCityName=“Schwandorf In Bayern”

I created a pipeline and if I wanna test my grok pattern it seems like the “” in the log pattern are gone. Now it makes harder to parse the message.