So I have logs coming in from pfSense and I have extractors working as expected to break out the firewall logs.
The issue I am running into is trying to run a regex search on a particular field. So, I can search the following just fine:
SourceIP:10.27.200.253 OR SourceIP:10.27.204.253 OR SourceIP:10.27.200.252 OR SourceIP:10.27.204.252
So, basically I have two gateways on each of my many subnets, so instead of listing every possible combination of subnet/gateway, I thought why not use regex.
So, using RegEx101.com to validate, I came up with the following regex to match on any of my two gateways on all subnets:
So, in scouring on how to use regex in a search string in Graylog, I basically came up with having to “escape” the regex inside a pair of forward slashes, resulting in the following search string:
Unfortunately I get nothing back from that. Reading a little more, it looks like certain characters need to be escaped, even though I didn’t see anything stating added escaping in between the forward slashes, I tried it anyway:
Again, nothing. So, knowing the regex itself is correct, how do I get this to function in Graylog?
Graylog version: Graylog v4.2.6+0210617
OS: Ubuntu 20.04
Thanks in advance.