On Fri, Jul 8, 2016 at 10:32 PM, Edmundo Alvarez <edmu...@graylog.com> wrote:
> > It's hard to tell what is wrong from here, since we can't exactly see how > your messages look like. Could you share a couple of messages with us? > > Please be aware that at the moment, the "regex" function needs to match > the whole string: > https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/35 > Sure thing So that rule is attempting to extract any TWO ipv4 addresses detected in any form of syslog message. So to give you some examples of when that occurs, we'll look to Cisco firewalls/routers %ASA-4-106023: Deny tcp src inside:192.168.3.79/57577 dst outside: 54.171.242.51/843 by access-group "acl_inside" [0x2923dc37, 0x0] %ASA-7-710006: EIGRP request discarded from 192.168.23.1 to inside:224.0.0.10 %ASA-4-106023: Deny tcp src inside:192.168.4.52/62508 dst outside: 21.125.185.18/5287 by access-group If I take the regex I wrote in this rule (as per first email), replace '\\' with '\', then the regex works fine via egrep. It's a simple "when, do this" type statement: I can't see what's gone wrong in it I have another pipeline with two rules and it's working just fine - it seems to be the regex in this that is at fault, but I can't see how -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgK8T6t_728ynFmH2ePHMx9dhsFYq4stfk1DVcyrdtCRPw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
