Graylog_Extractors_pfSense icon indicating copy to clipboard operation
Graylog_Extractors_pfSense copied to clipboard

Published 20 hours ago verified publisher icon Hobadee

Update pfSense Extractors.json

Open Womble-1 opened this issue 6 years ago • 3 comments

added case ignore for protocol. I only have lowercase, rule is uppercase.

Womble-1 avatar Oct 14 '17 19:10 Womble-1

My Graylog/pfSense system is currently down as I'm moving, so I'm unable to test this.

Just looking at the edit you did though, I'm not understanding what "(?i)" prepended to the "UDP" should do. From what I understand that should just be a passive capture of an "i" in front of "UDP". That makes no sense. Can you direct me to something that explains the regex you used there?

Hobadee avatar Oct 16 '17 20:10 Hobadee

It was a copy and paste job from stackoverflow i'm afraid. I tried without question mark and the extractor didn't match on my system. I'll leave you to test properly.

Womble-1 avatar Oct 19 '17 10:10 Womble-1

Doing some testing myself on the following: ^filterlog:\\s+.*,(in|out),4,.*,(?i)UDP,.*$

This will not work you need to remove a slash: ^filterlog:\s+.*,(in|out),4,.*,(?i)UDP,.*$

you can see the gist of this regex here: https://goo.gl/R288wp

derrickmehaffy avatar Nov 11 '17 02:11 derrickmehaffy