[graylog2] Re: help with Gork pattern

2016-07-01 Thread kaiser 
NUMBER is based on BASE10NUM variable

so replace NUMBER with BASE10NUM.

The same for IP is based on IPV4 and IPV6

If you have only IPV4 replace IP by IPV4


Le vendredi 1 juillet 2016 15:05:38 UTC+2, Keamas M a écrit :
>
> This looks good now:
>
> I added some additional fields:
>
>
> %{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|srcPort=%{NUMBER:srcport}\|srcMAC=%{COMMONMAC:srcmac}\|dstIP=%{IP:dstcip}
>
> This is my output now:
>
> BASE10NUM52064IPV410.244.134.247dstcip10.244.134.247srcip10.244.120.16
> srcmac44:1e:a1:44:f7:c8srcport52064
> Is is also possible to remove the first entry?
>  I don't know why I get this:
>
> BASE10NUM52064
>
>
> Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M:
>>
>> Hey,
>>
>> I log my firewall logs into Graylog.
>>
>> The log File looks like this:
>>
>>
>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
>> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
>> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
>> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
>> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
>> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
>> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
>> content=|urlcat=Search Engines/Portals
>>
>>
>> I tried to extract the fields with gork patterns, I tried it like this:
>>
>>
>>
>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>
>> But it does not work I can only extract the first field. How can I create 
>> the pattern that I can use all Fields?
>> Has anyone an example for me how I can use work patterns to extract this?
>>
>> Or is there any other extraction mechanism which is better to use to 
>> extract this kind of date?
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2e45ae1a-f647-4a94-ae40-14150664c69f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread Keamas M 
This looks good now:

I added some additional fields:

%{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|srcPort=%{NUMBER:srcport}\|srcMAC=%{COMMONMAC:srcmac}\|dstIP=%{IP:dstcip}

This is my output now:

BASE10NUM52064IPV410.244.134.247dstcip10.244.134.247srcip10.244.120.16srcmac
44:1e:a1:44:f7:c8srcport52064
Is is also possible to remove the first entry?
 I don't know why I get this:

BASE10NUM52064


Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M:
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create 
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to 
> extract this kind of date?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7ee5d263-1d42-4738-ac3d-210972de3db1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread kaiser 
Would you try the good command please?

You tried with /| instead of \|

%{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}

OR

%{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bd694742-ed33-465e-b464-4122841721d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread Keamas M 



Hi,
sorry no success with this:
If I do the single statements it works. If I do it with "/|" i only get the 
second field like "srcPort"
Also the %{GREEDYDATA:UNWANTED} did not match:

Check the screenshot.

Any other way or  should I trie another extractor if yes which?
Maybe regular expressions? Can you please tell me how it will look with 
another one which I can try?




>
> Am Freitag, 1. Juli 2016 10:30:54 UTC+2 schrieb kaiser:
>>
>> Can you try:
>>
>> srcIP=%{IP:srcip} 
>>
>> then 
>>
>> scrPort=%{NUMBER:srcport}
>>
>> Is there any error on those patterns?
>>
>> If no errors are displayed can you try:
>> %{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}
>>
>>
>>
>> Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>>>
>>> I also tried it to escape it with the \ and / ans so on... but it does 
>>> not work.
>>> I always geht this message when I press try:
>>>
>>> Attention
>>> We were not able to run the grok extraction. Please check your 
>>> parameters.
>>>
>>> See the screenshot int the attachtment.
>>>
>>>
>>>
>>>
>>>
>>> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:

 '|' stands for a logic OR so you have to escape it with '\|'.


 srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
 dstip}\|dstPort=%{NUMBER:dstport}

 Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info 
> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web 
> browsing|target=steiermark.orf.at|content=|urlcat=Search Engines
> /Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I 
> create the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract 
> this?
>
> Or is there any other extraction mechanism which is better to use to 
> extract this kind of date?
>
>
>
>>> 
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/739d5c61-32d4-4a5c-9b8c-129aa3e8762c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread Keamas M 


Am Freitag, 1. Juli 2016 10:30:54 UTC+2 schrieb kaiser:
>
> Can you try:
>
> srcIP=%{IP:srcip} 
>
> then 
>
> scrPort=%{NUMBER:srcport}
>
> Is there any error on those patterns?
>
> If no errors are displayed can you try:
> %{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}
>
>
>
> Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>>
>> I also tried it to escape it with the \ and / ans so on... but it does 
>> not work.
>> I always geht this message when I press try:
>>
>> Attention
>> We were not able to run the grok extraction. Please check your parameters.
>>
>> See the screenshot int the attachtment.
>>
>>
>>
>>
>>
>> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>>
>>> '|' stands for a logic OR so you have to escape it with '\|'.
>>>
>>>
>>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>>> dstip}\|dstPort=%{NUMBER:dstport}
>>>
>>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :

 Hey,

 I log my firewall logs into Graylog.

 The log File looks like this:


 <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info 
 C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
 srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
 dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
 info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
 duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
 sentPackets=0|user=n600771|protocol=HTTP direct|application=Web 
 browsing|target=steiermark.orf.at|content=|urlcat=Search Engines
 /Portals


 I tried to extract the fields with gork patterns, I tried it like this:



 srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}

 But it does not work I can only extract the first field. How can I 
 create the pattern that I can use all Fields?
 Has anyone an example for me how I can use work patterns to extract 
 this?

 Or is there any other extraction mechanism which is better to use to 
 extract this kind of date?



>> 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3f972908-2d12-4943-88cb-e6646bb1b940%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread kaiser 
Can you try:

srcIP=%{IP:srcip} 

then 

scrPort=%{NUMBER:srcport}

Is there any error on those patterns?

If no errors are displayed can you try:
%{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}



Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>
> I also tried it to escape it with the \ and / ans so on... but it does not 
> work.
> I always geht this message when I press try:
>
> Attention
> We were not able to run the grok extraction. Please check your parameters.
>
> See the screenshot int the attachtment.
>
>
>
>
>
> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>
>> '|' stands for a logic OR so you have to escape it with '\|'.
>>
>>
>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>> dstip}\|dstPort=%{NUMBER:dstport}
>>
>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>>
>>> Hey,
>>>
>>> I log my firewall logs into Graylog.
>>>
>>> The log File looks like this:
>>>
>>>
>>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info 
>>> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
>>> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
>>> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
>>> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
>>> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
>>> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web browsing
>>> |target=steiermark.orf.at|content=|urlcat=Search Engines/Portals
>>>
>>>
>>> I tried to extract the fields with gork patterns, I tried it like this:
>>>
>>>
>>>
>>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>>
>>> But it does not work I can only extract the first field. How can I 
>>> create the pattern that I can use all Fields?
>>> Has anyone an example for me how I can use work patterns to extract this?
>>>
>>> Or is there any other extraction mechanism which is better to use to 
>>> extract this kind of date?
>>>
>>>
>>>
> 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1cc952ca-f635-4f61-87d1-897ed7c6eb08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-07-01 Thread Keamas M 
I also tried it to escape it with the \ and / ans so on... but it does not 
work.
I always geht this message when I press try:

Attention
We were not able to run the grok extraction. Please check your parameters.

See the screenshot int the attachtment.





Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>
> '|' stands for a logic OR so you have to escape it with '\|'.
>
>
> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
> dstip}\|dstPort=%{NUMBER:dstport}
>
> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>
>> Hey,
>>
>> I log my firewall logs into Graylog.
>>
>> The log File looks like this:
>>
>>
>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
>> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
>> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
>> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
>> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
>> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
>> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
>> content=|urlcat=Search Engines/Portals
>>
>>
>> I tried to extract the fields with gork patterns, I tried it like this:
>>
>>
>>
>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>
>> But it does not work I can only extract the first field. How can I create 
>> the pattern that I can use all Fields?
>> Has anyone an example for me how I can use work patterns to extract this?
>>
>> Or is there any other extraction mechanism which is better to use to 
>> extract this kind of date?
>>
>>
>>


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/108c1163-0f27-453f-94e5-e4c94e8785e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

2016-06-30 Thread kaiser 
'|' stands for a logic OR so you have to escape it with '\|'.


srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
dstip}\|dstPort=%{NUMBER:dstport}

Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create 
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to 
> extract this kind of date?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/713f8a53-1be4-48b1-9cb5-3c9e350f69d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.