Hey gang. I'm trying to set up GEOIP and I need to pick out he client IP from the message string. problem is that I need the client IP and while I think my patch would work, Im afraid it'll freak out when it sees the second client IP column.
Here, take a look at part of the message:
[security2:error] [pid 18559:tid 140351285200640] [client 123.123.123.123:54654] [client 123.123.123.123] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/content/waf/2.7.3/modsecurity_crs_http_policy.conf"] [line "31"] [id.....
I'm thinking of matching and extracting the client IP like this
if [message] =~ "\[client " { grok { match => { "message" => "\[client \"%{DATA:srcip}:srcport\"%{DATA:srcport}\"\]" }}}
will this work or whats a better way to take into account the second instance without blowing up.
Thanks!!
-jon