```{index} graylog; extractors, grok, ocserv, postfix, ssh, pam ``` # Примеры использовавшихся экстракторов Для Beats Input (сюда направляются логи `systemd` с помощью `journalbeat`) ```json { "extractors": [ { "title": "Postfix: client IP address", "extractor_type": "regex", "converters": [], "order": 12, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_client_ip_address", "extractor_config": { "regex_value": "^[A-Z0-9]{12}\\:\\ client=\\w+\\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\]" }, "condition_type": "none", "condition_value": "" }, { "title": "ssh: get user IP", "extractor_type": "regex", "converters": [], "order": 1, "cursor_strategy": "copy", "source_field": "message", "target_field": "ssh_user_IP", "extractor_config": { "regex_value": "^Accepted publickey for \\w+ from (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" }, "condition_type": "string", "condition_value": "Accepted publickey for" }, { "title": "ocserv: get username", "extractor_type": "regex", "converters": [], "order": 3, "cursor_strategy": "copy", "source_field": "message", "target_field": "ocserv_username", "extractor_config": { "regex_value": "^sec-mod: initiating session for user '(\\w+)'" }, "condition_type": "string", "condition_value": "sec-mod: initiating session for user" }, { "title": "ssh: get username", "extractor_type": "regex", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "ssh_username", "extractor_config": { "regex_value": "^Accepted publickey for (\\w+) from" }, "condition_type": "string", "condition_value": "Accepted publickey for" }, { "title": "ssh: get user public key sha256", "extractor_type": "regex", "converters": [], "order": 2, "cursor_strategy": "copy", "source_field": "message", "target_field": "ssh_user_public_key_sha256", "extractor_config": { "regex_value": "^Accepted publickey for .* ssh2: \\w+ SHA256:(.*$)" }, "condition_type": "string", "condition_value": "Accepted publickey for" }, { "title": "Postfix: get message status", "extractor_type": "regex", "converters": [], "order": 9, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_message_status", "extractor_config": { "regex_value": ", status=(\\w+) " }, "condition_type": "none", "condition_value": "" }, { "title": "Postfix: get email recipient", "extractor_type": "regex", "converters": [], "order": 11, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_email_recipient", "extractor_config": { "regex_value": "^[A-Z0-9]{12}\\:\\ to=<(\\S+)>,\\ " }, "condition_type": "string", "condition_value": ": to=<" }, { "title": "Postfix: get message ID", "extractor_type": "regex", "converters": [], "order": 8, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_queue_message_id", "extractor_config": { "regex_value": "^([0-9A-F]{12})\\:\\ " }, "condition_type": "none", "condition_value": "" }, { "title": "ocserv: get session id", "extractor_type": "regex", "converters": [], "order": 7, "cursor_strategy": "copy", "source_field": "message", "target_field": "ocserv_user_session_id", "extractor_config": { "regex_value": " \\(session: (.*)\\)$" }, "condition_type": "string", "condition_value": "(session:" }, { "title": "ocserv: get connection stats", "extractor_type": "json", "converters": [], "order": 5, "cursor_strategy": "copy", "source_field": "message", "target_field": "", "extractor_config": { "list_separator": ", ", "kv_separator": "=", "key_prefix": "ocserv_", "key_separator": "_", "replace_key_whitespace": false, "key_whitespace_replacement": "_" }, "condition_type": "string", "condition_value": "OCServ Connections" }, { "title": "ocserv: get username (2)", "extractor_type": "regex", "converters": [], "order": 4, "cursor_strategy": "copy", "source_field": "message", "target_field": "ocserv_username", "extractor_config": { "regex_value": "\\\\nUser: (\\w+)\\\\nRemote IP:" }, "condition_type": "string", "condition_value": "OCServ Connections" }, { "title": "ocserv: get user remote IP", "extractor_type": "regex", "converters": [], "order": 6, "cursor_strategy": "copy", "source_field": "message", "target_field": "oscerv_user_remote_IP", "extractor_config": { "regex_value": "\\\\nRemote IP: (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\\\nServer:" }, "condition_type": "string", "condition_value": "OCServ Connections" }, { "title": "Postfix: get email sender", "extractor_type": "regex", "converters": [], "order": 10, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_email_sender", "extractor_config": { "regex_value": "^[A-Z0-9]{12}\\: from=<(\\S+)>, " }, "condition_type": "string", "condition_value": " from=<" }, { "title": "Postfix: noqueue - email sender", "extractor_type": "regex", "converters": [], "order": 13, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_email_sender", "extractor_config": { "regex_value": "^NOQUEUE: .* from=<(\\S+)>" }, "condition_type": "string", "condition_value": "NOQUEUE:" }, { "title": "Postfix: noqueue - email recipient", "extractor_type": "regex", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "postfix_email_recipient", "extractor_config": { "regex_value": "^NOQUEUE: .* to=<(\\S+)>" }, "condition_type": "string", "condition_value": "NOQUEUE:" }, { "title": "ssh: preauth failure - username", "extractor_type": "regex", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "ssh_username", "extractor_config": { "regex_value": "^Connection closed by authenticating user (\\w+)" }, "condition_type": "string", "condition_value": "Connection closed by authenticating user" }, { "title": "grok pam access denied", "extractor_type": "grok", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "", "extractor_config": { "grok_pattern": "%{WORD:pam_service}\\(%{DATA:pam_service_name}\\): Access denied for user %{USERNAME:username}: %{GREEDYDATA:pam_reason}", "named_captures_only": true }, "condition_type": "string", "condition_value": "pam_" }, { "title": "grok failed password", "extractor_type": "grok", "converters": [], "order": 0, "cursor_strategy": "copy", "source_field": "message", "target_field": "", "extractor_config": { "grok_pattern": "Failed password for %{USERNAME:username} from %{IP:source_IP} port %{NUMBER} %{WORD:service_name}", "named_captures_only": true }, "condition_type": "string", "condition_value": "Failed password" } ], "version": "4.1.10" } ```