Trying to use Pipelines to extract falues from a field

I’m trying to extract some data from a particular field using Pipelines and while I think I understand it theoretically, I can’t seem to wrap my head around making it happen.

We have a Palo Alto firewall with a VPN. We get logs showing tons of attempted logins from non-allowed users, but all of the data for those fields is locked into one field called vendor_event_description. Here’s an example:

failed authentication for user ‘fakeuser’. Reason: User is not in allowlist. auth profile ‘RSA_Radius_GP’, vsys ‘vsys1’, auth protocol ‘unknown RADIUS authentication protocol’, From: 186.x.x.x.

What I want is to extract the user and the IP address so that we can analyze them and see if we can do anything to limit connection activity. Can anyone explain to me how I can do that? I understand pipelines in concept but I don’t know how I get from “verify the field called vendor_event_description exists” to “extract two fields from the block of text.”

Thanks!

Hey @dannymccaslin

Try playing with the below, change the when clause so that the rule is more targeted.

rule “GROK - Capture IP”

when
true
then

  set_fields(
    grok(
      pattern:"%{IPV4:source_ip}",
      value:to_string($message.vendor_event_description),
      only_named_captures: true
    )
  );

end

This got me to where I need to be. I loaded the whole message into the vlue and was abe to extract the value and IP in one move. Thanks!