Graylog Extractors - BGP

Hi,

New here so please bear with me. We’ve recently started sending out syslogs into Graylog. One of the things we want to be able to alert on but would like a clearer log message is when BGP Drops.

An example of an alert looks something like this

{index=graylog_0, message=<188>: 2024 Feb 09 13:54:38 GMT.950 : %LOG_LOCAL7-4-SYSTEM_MSG: [F0299][soaking_clearing][protocol-bgp-adjacency-down][warning][sys/bgp/inst/dom-N4-LAB-SJ:VRF-MSITE-TEST/peer-[172.23.100.1/32]/ent-[172.23.100.1]/fault-F0299] BGP peer is not established, current state Idle, fields={gl2_accounted_message_size=375, gl2_remote_ip=10.200.229.103, gl2_remote_port=42185, gl2_message_id=01HP72C7790000DVEM2ERSWS91, gl2_source_node=48bc0f30-0073-4198-8fac-83354e45b62b, gl2_source_input=65c51a41542ff8166dde2301}, id=c44a8d91-c752-11ee-91a7-00505689e19c, timestamp=2024-02-09T13:54:38.953Z, source=n4-nht-l3service-4216-103, stream_ids=[000000000000000000000001]}

The key bits of information I want to extract are

• Time and Date
• Tenant Name: N4-LAB-SJ:VRF-MSITE-TEST
• protocol-bgp-adjacency-down
• Peer IP
• Remote IP

Is this possible ?

Thanks

Ya absolutely it should be pretty easy to break apart into fields. You will want to write a pipeline rule, and in the rule you have a few options using GROK may make the most sense (grok is just regex in an easier to use format), plain old regex with capture groups could also work. Then you just take those captures and write them into fields, should be able to do it all in one rule. Check out https://graylog.org/post/getting-started-with-grok-patterns/

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.