Extractor Key value with spaces

Hello,

I enjoy using the Extractor Copy Input > Key Value option
But when there is value like
msg=New session created

the space breaks the extraction, and I get only "New"
Anyone knows a better way to do it?

The whole source message is like this:
CEF:0|A10|vThunder|2.7.2-P10|WAF|session-id|2|rt=Nov 20 2017 12:37:23 src=93.55.113.54 spt=14142 dst=172.27.234.19 dpt=443 dhost=asd-wartsila.dsa.it cs1=WAF_relaxed_Tmpl cs2=a4d74bbd421bda8c act=learn cs3=learn app=HTTPS requestMethod=GET request=/asdoij/jspgepestyle/FilecomuniReport.jsp?p=5.0.186-001 msg=New session created: Id=a4d74bbd42df1bda8c

thank you

You can use the CEF plugin for CEF messages.

Hi Jochen,
Thank you for the quick reply.
I installed and activated the plugin CEF.
Started on UDP port, traffic is comming ( i can see w/ tcpdump) messages arive but maybe the
input filter is not working?

org.graylog.plugins.cef.codec.CEFCodec.5a12d75392c2117519b6f7dc.failures
Meter
Total:
138 events

But maybe my messages are not in the correct format…?

Try searching “in the future”, e. g. use an absolute time range and set the end a some point some hours in the future to rule out timezone issues.

If the plugin doesn’t work for you, please create a bug report at https://github.com/Graylog2/graylog-plugin-cef/issues and include some example messages (ideally captured with tcpdump or Wireshark) so we can reproduce the issue.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.