Hello,
I’ve tried to get extractor for IPv6 working to no avail and was curious if anyone else has it working.
Started with https://github.com/jbsky/graylog/blob/main/extractors.json which works for all IPv4 and most IPv6 traffic, but none of the IPv6 ICMP.
{
"title": "pfSense filterlog: IPv6 ICMP",
"extractor_type": "regex",
"converters": [
{
"type": "csv",
"config": {
"trim_leading_whitespace": false,
"column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,ProtocolID,Protocol,Offset,Length,SourceIP,DestIP,Headers,bourage,ICMP_Type,Flags,unknown_end_field"
}
}
],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "FilterData",
"extractor_config": {
"regex_value": "^(.*)$"
},
"condition_type": "regex",
"condition_value": "(.*?),(in|out),6,0x[0-9a-f]+,0x[0-9a-f]+,.*?,ICMPv6,58,.*$"
}
any suggestions? the extractor works in test mode.
