APC syslog pattern?

#1

After and update to Schneider APC Switched Rack PDU OS version v6.7.2 and v6.6.4, Graylog is unable to parse the message. I’m guessing APC isn’t following standards.

Does anyone have a GROK pattern or Regex for APC? The raw tcp messages look like these:

<12>May 15 11:05:54 apc-pdu-1.company.com Detected an unauthorized user attempting to access the Web interface from 10.1.1.8. 0x0006

<14>May 15 11:42:31 apc-pdu-1.company.com Network Interface restarted. 0x0002

<12>2019-05-15 11:04:37 apc-pdu-1.company.com APC: Test Syslog.

(Jan Doberstein) #2

I would send the messages to a RAW input first just to get them all.

After that greate a pattern yourself - at least the basic for the date and PDU name should not be a problem to parse.

#3

Thanks Jan. That’s what I planned on doing. Just wanted to check if anyone else had already done it.
Read the twitter post from Graylog about the “APC extractor” when looking into it and figured I would ask first since the link is dead.