Extractor for Wallix message

Hello all,
i try to send log from my wallix bastion to graylog
message are formated in RFC5424 and i dont know which excrator use. somebody can help me ?

sample of message

[wabauth] action=“authentify” user=“cvigreux” client_ip=“” status=“success” infos=“diagnostic [‘dc1-vm-addc01’ -password- authentication succeeded]”

From: Ingest syslog — Graylog 4.0.0 documentation

“Graylog is able to accept and parse RFC 5424 and RFC 3164 compliant syslog messages and supports TCP transport with both the octet counting or termination character methods. UDP is also supported and the recommended way to send log messages in most architectures.”

Syslog TCP or Syslog UDP should work depending on what protocol your client is using.

Thank you, Zach.


my device Wallix send log under format RFC5424. Graylog receive correctly but all the filed are not correctly identify. i think the root cause is the space beetwen each key. probably we should create extractor but i dont know which one

I have done two things when running into this. Do a RAW input or test to another basic syslog server and troubleshoot from there. Thank you, Zach.

thank you Zach, but i dont understand what you mind about “do a raw input”

Good morning, in stead of creating a Syslog TCP or UDP input; create a Raw/Plaintext TCP or UDP input.


I’ve done this for troubleshooting. And then once I’ve gotten the client sending correctly, delete it and re-create as Syslog TCP or UDP.

For a few devices, I had to leave them on Raw/Plaintext.

Thank you, Zach.

I understand, your are right it’s sometime a solution… In ma case il thinking create extractor for identify each field …the problem is that key of message are separated by space and graylog do not separate correctly

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.