Cisco Logs | Graylog

(Itsmebalaji) #1

Dear Graylog Team ,

Is there any way in order to Make Cisco logs more comfortable in Graylog through any plugins

For an example if am getting authentication fail logs how to extrace source , Destination , Port , and userid from the message and send an alert Via Mail

Is there any way to customer the email alert rather than sending it glimpsy can we make it in a summarized manner

Please help me on this

(Andrea) #2

Maybe this can help:

(Itsmebalaji) #3

Hey Zionio ,

I was able to receive cisco messages from syslog into graylog i want to extract source ip , destination ip , from the message can i know how

(Jan Doberstein) #4

for that you use extractors or the processing pipeline.

(Andrea) #5

as @jan said you can check on GL marketplace

Hope this helps :thinking:

(Itsmebalaji) #6

Already tried this , no use of it

(Itsmebalaji) #7

I have tried but unable to extract source ip and destination from a single message

One of the log example : 334: Jan 12 15:43:55.889 IST: %SW_MATM-4-MACFLAP_NOTIF: Host 10f3.1149.2f20 in vlan 862 is flapping between port Gi0/26 and port Gi0/25

Please help me with the extraction of Source IP , Mac address , Vlan And ports

(Andrea) #8

Based on log example, you can create a GROK extractor with:

%{IPV4:source_ip} %{GREEDYDATA} Host %{DATA:mac_accdress} in vlan %{INT:vlan} is flapping between port %{GREEDYDATA:port_a} and port %{GREEDYDATA:port_b}

Remember to check: Named captures only

Hope this helps :thinking:

(Itsmebalaji) #9

Ziono I have applied the gork pattern but its not displaying in Graylog main page Field value

(Andrea) #10

Can you show me a log example that did not match the GROK pattern created ?

(Itsmebalaji) #11

It has been started working , is it possible to send the gork fields in email alert

I mean i have extracted a specific fields from the message is it possible send only these fields in email alert

Thanks & Regards ,

(system) closed #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.