alias454
April 19, 2017, 4:38pm
1
I’m curious how parsing of Cisco and Fortinet logs work. Does Graylog perform a regex comparison on every message that arrives and then automagicly extract the fields?
jochen
April 20, 2017, 8:14am
2
Yes, it’s pretty much that. There are (simple) heuristics in place to guess what type of syslog message was received and how to process it further:
/*
* ZOMG funny 80s neckbeard protocols. We are now deciding if to parse
* structured (RFC5424) or unstructured (classic BSD, RFC3164) syslog
* by checking if there is a VERSION after the PRI. Sorry.
*
* ._. _
* R-O-F-L-R-O-F-L-R-O-F-L-IOI-R-O-F-L-R-O-F-L-R-O-F-L / l
* ___________/LOL\____ /: ]
* .__/° °\___/° \ / ::\
* /^^ \ ° ° \_______.__________.____/: OO:\
* .__./ j ________ _________________ ::OO::|
* ./ ^^ j____/° [\______/] .____/ \__:__/
* ._|____/° ° <{(OMG{< / ::
* / ° ° (OMFG{ /
* |° loooooooooooooooooooooooooooooooool
* °L| L|
* () ()
*
*
* http://open.spotify.com/track/2ZtQKBB8wDTtPPqDZhy7xZ
show original
