Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RFC 5424 extractors, update README #11

Merged
merged 2 commits into from
Sep 26, 2023
Merged

Add RFC 5424 extractors, update README #11

merged 2 commits into from
Sep 26, 2023

Conversation

subract
Copy link
Contributor

@subract subract commented Jul 2, 2022

When I tried using these extractors in my environment, the timestamps were incorrect (OPNsense was sending timestamps in its local time zone). When I configured OPNsense to send RFC 5424-compliant logs instead, the timestamp issue was fixed, but the extractors could no longer parse the logs, particularly because filterlog was now being parsed out into the application_name field (and therefore was no longer present in the message field). This necessitates instructing Graylog to save the full message, as detailed in the updated README.

I updated the regexes to match the different RFC-compliant format, which looks something like this (example is an IPv6 ICMP message). Note the inclusion of the meta structured data ID - this meant changing the regex to match anything in brackets, not just digits:

<134>1 2022-07-02T17:21:39-05:00 OPNsense.example.com filterlog 26180 - [meta sequenceId="7293"] 21,,,ecd3a310824625d57c6591b804a0956a,vtnet1,match,block,in,6,0x00,0x00000,1,icmp,1,76,fe80::8599:bc52:987b:b32b,ff02::16,truncated-ip6=76

Finally, it appears that OPNsense has switched from sending ipv6-icmp to just icmp, so I fixed that up as well.

Let me know if there's anything I should address, and thanks for developing these extractors!

subract added 2 commits July 2, 2022 16:23
@subract
Add RFC 5424 extractors, fix IPV6 ICMP extractor
61d33be 
OPNsense is capable of sending RFC 5424-compliant syslog messages when
configured to do so. This ensures timestamps are sent with timezone info
attached, enabling correct timestamps in Graylog. However, since Graylog will
then strip out the "filterlog" header into the "application_name" field, we
must inspect "full_message" instead of "message". The regex also changes, since
the compliant syslogs look different than normal syslogs (as they now include
meta information).

The IPv6 ICMP extractor also experienced a slight formatting change in an
OPNsense update.
@subract
Update README.md
5552d4f 
Added expanded usage and version information
@ddimick
Copy link

ddimick commented Jul 18, 2022

The RFC5424 extractors added by @subract are working for me (thanks!).

@subract subract mentioned this pull request Dec 5, 2022
Closed
@mlazzarotto
Copy link

Working for me as well!

@a1ad
Copy link

a1ad commented Feb 10, 2023

Oh nice @subract, thanks for your work. Why is it not merged already...

@netadvanced
Copy link

netadvanced commented Sep 25, 2023
edited
Loading

Thanks for your work @subract working great for me 👍 and cheers to @IRQ10 for the original work

@IRQ10 IRQ10 marked this pull request as ready for review September 26, 2023 11:16
@IRQ10 IRQ10 merged commit eaef26a into IRQ10:master Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IRQ10 IRQ10 IRQ10 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@subract @ddimick @mlazzarotto @a1ad @netadvanced @IRQ10