Back to listing

Writing Snort IDS alerts into Graylog

Other Solutions

How to send structured Snort IDS alert logs into Graylog

lennartkoopmann
free!

Published

13 Aug 16:42

Last Push

11 Apr 11:22

Marketplace Rating

Discussion

1 Comments

Your Rating

Please sign in to rate this add-on.

Comments

alias454 almost 3 years ago

Thanks for showing this one off, it was very helpful. I had one minor problem with this regex. There is an extra colon: after the priority field in my log. It may be due to my use of Suricata or the fact that my logs are coming out of Security Onion.

Either way, this was the regex that worked for me.
^\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)\\]: \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?$

Regards,
Brandon

Please sign in to comment.

Back to listing