Good day. Please tell me if there are any templates or examples of writing Content Packs?
I didn’t find any ready-made ones, so I’ll have to do it myself. I’m not a programmer - so any help would be good.
Hello,
Not sure what version of GL your using but this may help.
Or maybe something here might help.
Hello, I tried to figure it out on my own, but the attempt was unsuccessful.
Graylog 4.0.5 + d95b909 on log (Private Build 1.8.0_282 on Linux 5.4.0-70-generic)
I get the data as follows
firewall, info MONITOR-PORT ----: MONITOR-PORT ---- prerouting: in: vlan-2445 out: (unknown 0), src-mac ac: ac: ac: ac: ac: ce, proto TCP SYN), 11.222.333.44:12345678->22.333.333.333:22, len 40
I need to display IP1 (11.222.333.44) IP2 (22.333.333.333)
port1 (12345678)
port2 (22)
Unfortunately, I did not find a ready solution.
I tried the following regular expression
(? :( ?: 25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) \.) {3} (?: 25 [0-5] | 2 [0-4] [0-9] | [01]? (0-9] [0-9]?)
But in Grok patterns I see only the first occurrence, besides I do not know how to separate port.
I checked this expression on a third-party site regex101.
Could you help me with that?
@Djalin
Hello,
I’m still learning GROK patterns and Regex. I did a test with the information above. Maybe this might give you a head start.I used this to start with perhaps you can build on that or someone here has a better way.
(?:[+-]?(?:[0-9]+)).(?:[+-]?(?:[0-9]+)).(?:[+-]?(?:[0-9]+)).(?:[+-]?(?:[0-9]+))
Example:
Hope that helps
Good time of day, but how do I know the second IP?
I need both values.
Why not use this simple grok pattern?
%{IPORHOST:IP1}:%{POSINT:port1}->%{IPORHOST:IP2}:%{POSINT:port2}
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.