Graylog Forwarder

Description of your problem

I am running Graylog4.1.1 - single node cluster.
I am using Graylog forwarder in remote location to forward FW logs to my graylog server.
Logs are reaching and saving in graylog.Able to view logs.
But I am not able to use any extractor since, input is not available in Input section.
I could not modify anything in Graylog forwarder -Input profile.

Description of steps you’ve taken to attempt to solve the issue

Environmental information

single node cluster

Operating system information

Ubuntu

Hi there, extractors aren’t available with forwarder inputs, so that’s why you’re not able to use them. If you need to extract fields, your best bet would be to use a pipeline.

Any suggestions for rule to extract srcip and dstip from below message?
fwall-sap-4 ulogd[4938]: id=“2001” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet dropped” action=“drop” fwrule=“60002” initf=“eth5” outitf=“eth5” srcmac=“32:c4:8d:56:83:de” dstmac=“00:2a:7c:f0:84:75” srcip=“5.146.15.28” dstip=“62.25.1.48” proto=“6” length=“40” tos=“0x00” prec=“0x00” ttl=“250” srcport=“54395” dstport=“4204” tcpflags=“SYN”

Try this:

rule "Parsing key/value pairs"
when
    true
then
    set_fields
        (
        fields: key_value
            (
            value: to_string($message.message),
            trim_key_chars: "",
            trim_value_chars:"\"",
            delimiters: " ",
            kv_delimiters: "="
            )
        );
end

This should work if you’re sending the logs to a RAW input

Many thanks.
It solved my requirements.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.