Add Extractor for msg_id: 1AFF-0018

[uclnj]

http://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/index.html#log-messages/proxy_msgs.html?Highlight=1AFF0018

msg_id: 1AFF-0018

Sep 1 09:24:18 NAME SERIAL (2019-09-01T13:24:18) http-proxy[3376]: msg_id="1AFF-0018" Allow 0-FIOS 1-Trusted tcp 1.2.3.4 5.6.7.8 65149 80 msg="ProxyAllow: HTTP Content Type match" proxy_act="Proxy-Rule" rule_name="Default" content_type="text/html" (proxy-name-00)

Graylog Version: 3.1

Getting some 30K of these a day.

[ThoZed]

Hey uclnj,

have a try with the following extractor, if it's fine i'll include it in the next commit.

-> Please import following extractor in System/input/manageextractors/action/import...

{ "extractors": [ { "title": "Proxy HTTP INFO 1AFF-0018", "extractor_type": "grok", "converters": [], "order": 14, "cursor_strategy": "copy", "source_field": "message", "target_field": "", "extractor_config": { "grok_pattern": "^.* %{NOTSPACE:action} %{NOTSPACE:srcif} %{NOTSPACE:dstif} %{NOTSPACE:protocol} %{IPV4:srcip} %{IPV4:dstip} %{BASE10NUM:srcport} %{BASE10NUM:dstport} msg=\"%{DATA:proxy_msg}\" proxy_act=\"%{DATA:proxy_action}\" rule_name=\"%{DATA:rule_name}\"((?:\\s+(geo_src=\"%{DATA:geo_src}\"|geo_dst=\"%{DATA:geo_dst}\")?)|\\()" }, "condition_type": "regex", "condition_value": "^.*msg_id=\"1AFF-0018\".*" } ], "version": "3.1.0" }

[uclnj]

Looks good - I added a content_type="%{DATA:content_type}" to grab the content type when identified by the proxy. Will the extractor care if there is data there or not? Some proxies report in as content_type="" or content_type="text/html" and content_type="video/MP2T".

[ThoZed]

ah, I just missed content_type :-) that's fine if it works for now. Just checked the GROK Pattern "DATA". Its the regex for .*? which matches also if nothing is there.

Nearly every extractor is created like that, feel free to contribute. have a nice day