Help with understanding a few key fundamental conepts of graylog. Raw vs Syslog input

OH. MY. GOD! That’s amazing! Thanks! Exactly what I was looking for! Brilliant. :pray: :pray:

Coolio, but for the reference, wireshark seems to offer a syslog filter Wireshark · Display Filter Reference: Syslog message

Anyways remote IP is a thousand times better, than diving through wireshark for that :wink:

Hello,
Glad you found it your solution :slight_smile:

The only issue with this one is that you need to add this field to all tables every time you access graylog but I lived that for years and it didn’t bother me much :wink:

Now I grew up and I am using pipeline rule to replace the source field with gl2_remote_ip field and from now on my source always shows the same value as gl2_remote_ip.

Pipeline rule is attached to every message that comes through.

rule "replace_source_with_ip"
when
  has_field("message")
then
  set_field("source", to_string($message.gl2_remote_ip));
end

K.

2 Likes

I prefer hostnames but I will probably add remote IP in a separate field so it’s saved in message. You could also make a dashboard where you display that field in the view and save it. Sadly it seems like we don’t have control over column width so the formatting has more to wish for. =/

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.