Hi Guys,
I am having problem to setup Pipline graylog from pfsense, I did all steps from this site https://marketplace.graylog.org/addons/0545fc93-0b4a-4a59-a695-f3c1b6c10654
IDS and IPS is Suricata,
This is the Regex
rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex("\s?\[(\d+):(\d+):(\d+)\] (.+?) \[Classification: (.+?)\] \[Priority: (\d+)]: \<(.+?)\> \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));
set_field(“snort_alert”, true);
set_field(“generator_id”, m[“0”]);
set_field(“signature_id”, m[“1”]);
set_field(“signature_revision_id”, m[“2”]);
set_field(“description”, m[“3”]);
set_field(“classification”, m[“4”]);
set_field(“priority”, to_long(m[“5”]));
set_field(“interface”, m[“6”]);
set_field(“protocol”, m[“7”]);
set_field(“src_addr”, m[“8”]);
set_field(“src_port”, to_long(m[“10”]));
set_field(“dst_addr”, m[“11”]);
set_field(“dst_port”, to_long(m[“13”]));
end
this is the stream ^\s?[\d+:\d+:\d+].
Any Ideas guys ? thank you