How can I use the hostname in the raw log?

Hyunjong2 · May 6, 2022, 7:56am

Hi Team,

I would like to export the hostname in the raw log and then I would like to add this to “hostname” field.

I am testing to use “pipeline feature” and “rules”. However, I think that I do not have enough skill to make expression rule to export and set the hostname. Could you please help my issue? It will be very helpful.

For example> Here is the raw log from the network device of Cisco. As you can see that the real hostname is “dc1-chint-lf-1218” and it can be changed each appliance. (dc1-chint-lf-1218 or dc1-chint-lf-1219 or dc2-chint-lf-1000)

[As-IS]
Custom Message:

time : 2022-05-06T07:35:47.000Z
hostname : 913
message : 913 dc1-chint-lf-1218 %LOG_LOCAL7-4-SYSTEM_MSG [F96760][raised][threshold-crossed][warning][sys/phys-[eth1/9]/fault-F96760] TCA: Egress Buffer Drop Packets rate(eqptEgrDropPkts5min:bufferRate) value 13 raised above threshold 10
severity : 4

[To-BE]
Custom Message:

time : 2022-05-06T07:35:47.000Z
hostname : dc1-chint-lf-1218
message : 913 dc1-chint-lf-1218 %LOG_LOCAL7-4-SYSTEM_MSG [F96760][raised][threshold-crossed][warning][sys/phys-[eth1/9]/fault-F96760] TCA: Egress Buffer Drop Packets rate(eqptEgrDropPkts5min:bufferRate) value 13 raised above threshold 10
severity : 4

Thank you a lot in advance,

HJ

Arie · May 6, 2022, 9:45am

Something like this:

rule "Parse - CISCO LOG HOSTNAME"
when
    // Use routing message to select messages
    to_string($message.message_route) == "cisco logging"
then
let pf = grok(
    pattern: "%{HOSTNAME:cisco_log_hostname}:
    value: to_string($message.message),
    only_named_captures: true
);
set_fields(pf);
// Add Parse field for easier message tracing
set_field("parse","Parse - Cisco Messages");
end

And than add this rule to a pipeline.

You can use this side for creating grok patterns.

https://grokdebug.herokuapp.com/

And play thare with the discover page. Not all GROK patterns are in Graylog.

Good luck

Hyunjong2 · May 6, 2022, 11:10am

I am sorry that my explanation is not enough to share what I want. Sure, I will study more to use grok, just now I can use only pipeline rule.

My idea is… this can be solved this if I can export specific word and set this to the string. As you can see, “dc1-chint-lf-1218” is the second block in the log. If I can export the second block word to the specific string($hostname), I can solve this. How do you think this?

time : 2022-05-06T07:35:47.000Z
hostname : 913
message : 913 dc1-chint-lf-1218 %LOG_LOCAL7-4-SYSTEM_MSG [F96760][raised][threshold-crossed][warning][sys/phys-[eth1/9]/fault-F96760] TCA: Egress Buffer Drop Packets rate(eqptEgrDropPkts5min:bufferRate) value 13 raised above threshold 10
severity : 4

patrickmann · May 6, 2022, 2:54pm

@Arie provided a pipeline rule for you. Have you tried adding that to the pipeline?

system · May 20, 2022, 2:54pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Making source field show hostname instead of ip-address Graylog Central (peer support) pipeline-rules	5	11615	December 11, 2018
Extract the hostname Graylog Central (peer support)	4	1912	July 19, 2021
How delete the colon from source(hostname) Graylog Central (peer support)	3	1679	August 22, 2017
Issue with application_name field Graylog Central (peer support) pipeline-rules	6	1103	September 17, 2020
Pipeline to convert source IPs into hostnames is not applied Graylog Central (peer support) pipeline-rules , basic-configuration	14	2126	March 24, 2022

How can I use the hostname in the raw log?

Related Topics