Dropping random field names generated by Sonicwall CEF input

New to Graylog so apologies upfront. I am using v3.2.4 (latest) and have 5 Sonicwalls sending Arcsight CEF formatted logs to my input.
I am receiving messages from the SonicWall like this:

GL Message

I would like to drop these fields as it’s causing indexing issues when the max field number is surpassed.

I have looked at extractors and pipeline rules but nothing I see/googled allows a regex search for field names to act on, only values. And my understanding is that to drop fields, you have to declare the field name, which changes in each case with the IP address that gets modified and put into the field name.

I have attempted to remove those items on the Sonicwall side of the equation, but they continue to send, regardless of setting. (yes, lame product)

Is there any way to drop a field without a specific field name/field name is constantly changing?

he @beast

it is not possible to define fields by regex or with a whitelist. To what kind of input did you send the messages? You might want to send it to a RAW input and use the processing pipeline to select only the fields you want to store and drop all other fields.

That is just an idea.

I had created a CEF UDP input - I like your idea though. It would solve my issue and I could cut down on other noise that I had been addressing with additional pipelines. Thanks very much - I am going to give this a try.

I have looked at this, but I cannot find a way to just “drop fields” without naming them explicitly in pipeline rules. I have a list of the fields to keep, just dont know how to go about doing this. Any help is appreciated.

I also see that there was a feature request for this type of pipeline rule that is still open but not being worked: https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/18

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.