Hello, I created a pipeline with the guide from here. I am on Graylog v3.2.3. Using Sophos XG on 17.5
I am trying to add in some more pipeline rules to sort out additional event types to be able to get source IPs from VPN logs and be able to geolocate it so I have the following rule. The issue I am running into is that it is not extracting the src_ip even if I change that to match the remoteinterfaceip. The simulation trace is showing that the rule is being satisfied but there is no added field for the src_ip. What am I doing wrong?
rule “XG IPSec Event”
when
(to_string($message.log_sub_type) == “System”) && (to_string($message.log_component) == “IPSec”)
then
set_fields(
grok(
pattern: “(status=%{QUOTEDSTRING:status})?%{SPACE}priority=%{WORD:priority}%{SPACE}(status=%{QUOTEDSTRING:status}%{SPACE}src_ip=%{DATA:remoteinterfaceip})?%{GREEDYDATA}message=%{QUOTEDSTRING:system_message}”,
value: to_string($message.message),
only_named_captures: true
)
);
end
A sample of a message received is
<29>device=“SFW” date=2020-03-16 time=09:54:23 timezone=“EDT” device_name=“XG” device_id=REDACTED log_id=062511517801 log_type=“Event” log_component=“IPSec” log_subtype=“System” status=“Established” priority=Notice user_name=“REDACTED” connectionname=“IPSEC” connectiontype=“0” localinterfaceip=REDACTED localgateway= localnetwork=“0.0.0.0/0” remoteinterfaceip=REDACTED remotenetwork=“x.x.x.x/32” message=“IPSEC - IPSec Connection IPSEC between x.x.x.x and x.x.x.x established. (Remote: x.x.x.x)”
Thank you.