Hello community,
I’m just trying to figure out how to get it right and someone might have an idea.
We get logs that look like this from a web application firewall:
Header (Information to the Attack like a unique ID etc)
Message: xxx
Message: yyy
Message: zzz
Apache-ERROR: xxx
Apache-ERROR: yyy
Apache-ERROR: zzz
End (Timestamps, Stopwatch, etc)
Message xxx and Apache-ERROR xxx belong together
The number of messages about Apache-errors can vary in number, from 1 to n.
Now i want to split them in their own messages like this:
Header (Information to the Attack like a unique ID etc)
Message: xxx
Apache-ERROR: xxx
End (Timestamps, Stopwatch, etc)
Header (Information to the Attack like a unique ID etc)
Message: yyy
Apache-ERROR: yyy
End (Timestamps, Stopwatch, etc)
and so on.
I know i can do it with the “create_message” funktion in the pipeline.
And cut it with the regex and regex_replace.
Best would be somthing like a loop or so, but that is not possible in Graylog.
Does anyone has an idea?
Regards
Tobias