Grok Pattern for barnyard2 syslog

shookshank · March 27, 2017, 1:05pm

i have the following syslog alerts.

Oct 1 11:59:51 sensor | [SNORTIDS[ALERT]: [sensor-eth1] ] || 2014-10-01 11:59:54.967+-04 1 [1:1000022:1] LOCAL-RULE
Possible login.aspx Brute Force Account Access || web-application-attack || 6 x.x.x.x y.y.y.y || 20175 80 || #012 |

I've attempted writing grok patterns for it but im completely new to them and require someone with better knowledge than me to split them into fields.

Any help would be appreciated.

Thank you

magnusbaeck · March 28, 2017, 6:04am

Have you tried using the grok constructor web site?

system · April 25, 2017, 6:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.