I dont’n know where is your problem? only first 2 fields are extracted? or?
It is a correct RFC 3641 syslog message, so why you try to extract from full message? I’d rather use message as a extractor field. This way, level and severity fields are automatically extracted by graylog
Create normal Syslog input, not raw, because is normal syslog
<30> is syslog header, and it changed based on facility and serverity, so don’t include it (<30>) in your grok pattern
So your grok pattern can start like this: %{SYSLOGTIMESTAMP:timestamp} %{DATA:source} mwg
Thanks for your answer. Indeed, only first two fields are extracted, but it is not clear for me why.
Originally, I created the input as generic syslog, but messages weren’t imported. After I’ve changed the input to RAW/Plaintext, it was working.
The extractor field is message and I already noticed, that I can replace the first fields by: <30>%{SYSLOGBASE}
The extractor is working better now:
but the rest of the message is still not parseable. The severity won’t change on this input, so it is okay to keep it there. The parser tells me, that there is nothing to extract, if I remove it from the pattern…
I also tried syslog-tcp again as input, but still messages are not imported, but visible in the statistics.
Regarding the content-pack. The pattern are mostly taken from there, but the pack itself couldnt be imported. Not sure, if there is a mismatch in the graylog version or…