Graylog Index Field Issues.

Hi All,

I have a data that I like to ingest into the Graylog using fluent-bit. The following the Data:
{“timestamp”:“2023-10-01T20:36:53.079+0000”,“rule”:{“level”:3,“description”:“Windows User Logoff.”,“id”:“60137”,“firedtimes”:275,“mail”:false,“groups”:[“windows”,“windows_security”],“gdpr”:[“IV_32.2”],“hipaa”:[“164.312.b”],“nist_800_53”:[“AC.7”,“AU.14”],“pci_dss”:[“10.2.5”],“tsc”:[“CC6.8”,“CC7.2”,“CC7.3”]},“agent”:{“id”:“045”,“name”:“HOSTNAME”,“ip”:“10.6.57.51”},“manager”:{“name”:“OSHW01”},“id”:“1696192613.464067641”,“decoder”:{“name”:“windows_eventchannel”},“data”:{“win”:{“system”:{“providerName”:“Microsoft-Windows-Security-Auditing”,“providerGuid”:“{54849625-5478-4994-a5ba-3e3b0328c30d}”,“eventID”:“4634”,“version”:“0”,“level”:“0”,“task”:“12545”,“opcode”:“0”,“keywords”:“0x8020000000000000”,“systemTime”:“2023-10-01T20:36:52.075049500Z”,“eventRecordID”:“47135776”,“processID”:“664”,“threadID”:“2824”,“channel”:“Security”,“computer”:“8",“severityValue”:“AUDIT_SUCCESS”,“message”:""An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-281294383-1138842768-2788462225-1134\r\n\tAccount Name:\t\tgensvcadmin\r\n\tAccount Domain:\t\t\r\n\tLogon ID:\t\t0xBCC4EDEE\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."“},“eventdata”:{“targetUserSid”:“S-1-5-21-281294383-1138842768-2788462225-1134”,“targetUserName”:“gensvcadmin”,“targetDomainName”:”**”,“targetLogonId”:“0xbcc4edee”,“logonType”:“3”}}},“location”:“EventChannel”}

The Data is not represented correctly.
The Field that needs to be created is actually rule.id however the Graylog is creating the Field as rule_id. This is causing all the Managers to Fail as the Field cannot be searched.

Most of the Fields with “.” Are replaced with “_”.

Any Suggestion can help?

Welcome @rohanrajnv,

Graylog does not support the use of dots in field names. The underscores are required. What do you mean it causes the Managers to fail?

What is the larger task you are trying to accomplish? A little context would help us to help you.

1 Like

I am ingesting the logs from Wazuh Manager to Gray Log using Fluent-Bit. The Graylog is storing the data in the Wazuh Indexer (forked from OpenSearch).
What I mean by manager fails is that the manager is not able to make any queries for the data as the Wazuh manager is hardcoded to the field.

All the logs that are ingested into a central graylog
Wazuh Index when ingesting logs to Wazuh Indexer.

Wazuh index when ingesting logs through graylog.

Hi Everone. Any Help on this?

Graylog Does not support fields with “.” but can the netested fields be confiured.
Like

Hi @rohanrajnv. There is no concept of a sub-field, or nested field in Graylog. You can create fields for each of these, but it’s not a nested field. The field name structure is flat. There is no hierarchy of fields. You can add a prefix, like geo_ to get much the same effect. Because field sort defaults to alphabetic, it will cause all geo-ip related to be grouped together in an expanded message.

Would that do what you are looking for? If not, what exactly are you trying to achieve?