Hello Graylog Community,
I know I can use this in a stream, where I can have a regex contains [a-zA-Z0-9/+=]{500}
I’m using that to look for Base64 encoded commands
But how could I use that in a regular search in Graylog?
Running as a stream tends to die due to excessive processing time
I tried escaping the characters but always for the giant screen of fail
All insight is appreciated
Thanks
TP
I would try to extract that with a processing pipeline having that in a single field would make it easy to search for.
extracting the information makes it more easy to search and compare messages.
The documentation is a bit spotty and I’m having some issues piecing this together. Would you have a pipeline example with the syntax listed here so I can sort of assemble my mind around this? I think once I get the idea it will become clear.
All insight is appreciated!!
without knowing your data it is impossible to build a processing pipeline that makes sense.
Understood.
This Regex in question is a simple query against the command line field in GELF coming from windows machines.
Looking for stuff like
jusched.exe /c asklhfalksdhflksadjhnflaskjdncvlsadkjnclksjadnclkjasnclkjsddclkjanlskdjncksjddlkcajnadskjcnlksjdandclkjsadclkjnsdlkjcdnlakjndckjsadclkajdslkcjnaslkdjnclkjasdncdkljdnlcjdsnckweijsdjnckasdnc
Which would be an encoded command.
Does that help any?
You should rewrite it based on your needs, but here is a working example.
rule "elastic server address"
when
contains(to_string($message.message), "Retrying request to")
then
set_field("elastic_ip", regex("http://(.*):9200" ,to_string($message.message))["0"]);
end
The pipeline can encode base64, I would store the encoded version also, maybe it is better for search.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.