Hello everybody,
i am Dirk from Germany. I am a newbie with graylog. The most of my problems i solved with good inet documentation and youtube :-). But now i have a problem with the pipelines rules and a grok pattern.
The following grok pattern works fine within the extracttor.
action=%{QUOTEDSTRING:action}\s*.*\s*srcip=\"%{IPV4:SourceIP}\"\s*dstip=\"%{IPV4:DestinationIP}\"\s*.*\s*srcport=\"%{POSINT:SourcePORT}\"\s*dstport=\"%{POSINT:DestinationPORT}\"
But the follwoing code for the pipeline rule doesn’t work.
rule "SOPHOS UTM SYSLOG RULE"
when
has_field("message")
then
let message_field = to_string($message.message);
let fw = grok(pattern: "action=%{QUOTEDSTRING:action}\s*.*\s*srcip=\"%{IPV4:SourceIP}\"\s*dstip=\"%{IPV4:DestinationIP}\"\s*.*\s*srcport=\"%{POSINT:SourcePORT}\"\s*dstport=\"%{POSINT:DestinationPORT}\"", value: message_field, only_named_captures: true);
set_fields(fw);
end
I can’t safe the rule. I see no red x on the left site if i write the code by hand. If i make a cut and paste from my notepad into the rule editor i get an red x on line 7 on the left site.
At the moment i work with Graylog Version : Graylog v3.0.2+1686930 and Elasticsearch-oss 6.8.2
I hope somebody of you can help me and can say what mistake i have done.
Solution: I have to escape the backslash and the double quotes. Both are special characters.
Thanks a lot.
Best regards
Dirk