Help with parsing similar bit in a message

SigmazGFX · May 8, 2020, 1:45pm

Hey gang. I'm trying to set up GEOIP and I need to pick out he client IP from the message string. problem is that I need the client IP and while I think my patch would work, Im afraid it'll freak out when it sees the second client IP column.
Here, take a look at part of the message:
[security2:error] [pid 18559:tid 140351285200640] [client 123.123.123.123:54654] [client 123.123.123.123] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/content/waf/2.7.3/modsecurity_crs_http_policy.conf"] [line "31"] [id.....

I'm thinking of matching and extracting the client IP like this

if [message] =~ "\[client " { grok { match => { "message" => "\[client \"%{DATA:srcip}:srcport\"%{DATA:srcport}\"\]" }}}

will this work or whats a better way to take into account the second instance without blowing up.

Thanks!!
-jon

SigmazGFX · May 8, 2020, 3:46pm

I think I may have figured it out. I'm just waiting now for some data to come in to verify.
Does this seem correct?

if [message] =~ "\[client " { 
		grok { match => { "message" => [
			"\[client %{DATA:client}\] \[client %{DATA:srcip}\]",
			"\[client %{DATA:srcip}\]"
		]} } }

srcip being the variable I'm sng off to geoid.
Thanks
-jon

system · June 5, 2020, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.