I have a cleanly set up Graylog server.
OS: Ubuntu 20.06 LTS
Elasticsearch: 6
Graylog (copied from page bottom): Graylog 3.3.2+ade4779 on graylog (Private Build 1.8.0_252 on Linux 5.4.0-42-generic)
This is a clean rebuild of an old Graylog2 server I originally had running on OVA. I’m attempting to set things back up how I had them.
I had created an input for Meraki access points to send in syslog messages. I remembered from experience that the Syslog parser in Graylog doesn’t work with Meraki devices (tested this, it’s still true), so I set up the input as a raw UDP input.
Messages show up just fine from the access points until I apply any extractor to the input. I’m attempting to use the “Split and index” extractor to get the AP hostname and event log type (assuming I get this working I’ll also be doing key=value to get the rest of the info).
Applying an extractor stops any messages from the APs showing up in searches. As soon as I delete the extractor(s) so there are none on the input, messages show up again.
Is there something I’m doing wrong or some caveat I’m missing? I know I’m doing this mostly from memory but all the tests succeeded in the extractor setup.
Thanks for any suggestions.