Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Apr 2018
    Posts
    9

    Default Guide: Untangle with Graylog

    I recently switched over to an Untangle firewall which has tons of great log data. I noticed there are a couple old content packs in the marketplace, but it seems they haven’t been maintained, and no longer work. I wanted to be able to run searches on the webfilter logs so I can better investigate the web traffic on my network, so I figured out a pretty easy way to get this working and thought I’d share:

    Here are the steps:

    On the untangle side, enable remote syslog and send to your graylog server
    On the graylog side make sure you have an input setup for untangle
    On the input you need to add 2 extractors:

    Extractor 1:
    Select Regex
    use the following :\s\s+(.*)
    store field as “json”
    give it a name

    Extractor 2:
    Select type JSON
    Keep default values
    Do not select “flatted values”

    You can run the tester to confirm, but these steps work great for me. I can now easily search through all my web traffic. The field names are quite a user friendly as they could be, but this approach is much easier than trying to build and maintain a custom json file. I’ll probably work on enabling firewall logs and maybe some admin logs as well, but this was my first priority. I didn’t include detailed steps for getting Graylog setup and configured, but their documentation is pretty straightforward. I have it running as a container on my unraid server.


    Sent from my iPhone using Tapatalk

  2. #2
    Untanglit
    Join Date
    Dec 2019
    Posts
    15

    Default

    Hi,

    Do you think these extraction could work on splunk ?

    Thanks.

  3. #3
    Newbie
    Join Date
    Apr 2018
    Posts
    9

    Default

    I haven’t used Splunk in a while, but I think you would use the spath command:

    https://docs.splunk.com/Documentatio...eference/Spath


    Sent from my iPhone using Tapatalk

  4. #4
    Untanglit
    Join Date
    Dec 2019
    Posts
    15

    Default

    Quote Originally Posted by cpmiller22 View Post
    I haven’t used Splunk in a while, but I think you would use the spath command:

    https://docs.splunk.com/Documentatio...eference/Spath


    Sent from my iPhone using Tapatalk
    Hi friend. I checked in my wiki and I totally forgot that I already found how to "split" correctly the log last year:

    rex "(?<json>\{.+)" | spath input=json | fields - json | rename sessionEvent.* AS * | replace /* with * | eval srcport=CClientPort,dstport=SServerPort

    I don't remember if I found it alone or if I found it on the web.
    cpmiller22 likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2