Hi BKeep, i already tested the market place extrators. But i have this issue: i want to graph more than two values: For example dstip=* and srcip=* and subtype=virus action=*
i can't found a regular expression Is posible? Thanks for your help On Thursday, December 8, 2016 at 4:45:37 PM UTC-3, BKeep wrote: > > I may be wrong, but that looks like a fortinet/fortigate log. Have you > tried looking at the fortigate stuff available in the marketplace for some > examples? > > https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 > https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 > <https://www.google.com/url?q=https%3A%2F%2Fmarketplace.graylog.org%2Faddons%2Fd41d3728-4722-4de6-b697-71efa579c4e2&sa=D&sntz=1&usg=AFQjCNH5z9m0xBo5GhbPXY1wIpaUPN1ILA> > > I create extractors that will run on the input where the expected logs > will flow in. > What I do to match the src ip is this > srcip="?([0-9.]+) > > What I do to match the dst ip is this > dstip="?([0-9.]+) > > Regards, > Brandon > > On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano wrote: >> >> >> Maybe, ok i'll try it. Later i will post the expression if i get it. >> >> Thanks. >> >> On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda wrote: >>> >>> Hi Martin, >>> >>> your regular expression has to work with Java's regular expression >>> engine. >>> >>> You can use http://www.regexplanet.com/advanced/java/index.html to >>> fiddle around with the regular expression and your message. >>> >>> Cheers, >>> Jochen >>> >>> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>>> >>>> >>>> Hi Jochen, for example this msg: >>>> >>>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* >>>> subtype=virus* eventtype=scanerror level=notice vd="root" *msg="File* >>>> reached uncompressed size limit." action=monitored service=HTTP >>>> sessionid=3723464* srcip=1.1.1.1 dstip=2.2.2.2* srcport=17633 >>>> dstport=80 srcintf="port1" dstintf="port2" proto=6 direction=incoming >>>> filename="2017-calendar-template.zip" quarskip=No-skip url=" >>>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>>> >>>> profile="default" user="" agent="Mozilla/5.0" >>>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>>> >>>> analyticssubmit=false crscore=50 crlevel=critical" >>>> >>>> i put in bold letters all matches. >>>> >>>> Regex: >>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>> >>>> i use this online software: http://regexr.com/ >>>> >>>> >>>> >>>> Thanks. >>>> >>>> >>>> >>>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>>> wrote: >>>>> >>>>> Hi Martin, >>>>> >>>>> which message should be matched by this regular expression and what >>>>> should be the result in your opinion? >>>>> >>>>> It looks a bit strange to me. >>>>> >>>>> Cheers, >>>>> Jochen >>>>> >>>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>>> >>>>>> >>>>>> Hi all, i newby on Graylog: >>>>>> >>>>>> I try to get works this regex: >>>>>> >>>>>> >>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>> >>>>>> >>>>>> I get this error: >>>>>> >>>>>> *Could not try regular expression. Make sure that it is valid.* >>>>>> >>>>>> *Details: Error: cannot POST >>>>>> http://10.10.10.10:13900/tools/regex_tester >>>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>>> >>>>>> But, when i get test on this on line tool, works fine. >>>>>> >>>>>> https://regex101.com/ (java script) >>>>>> >>>>>> Any ideas?! >>>>>> Thanks. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7a0e460c-daa4-486e-ba4c-f3c935184506%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
