How to extract Cisco Log Message from Graylog

peter.legista · May 18, 2018, 9:54pm

Hello,

Good day!

Just want to ask if there are some here know how to extract data from Cisco log message.

Here is the example of cisco Log Message:

Line protocol on Interface GigabitEthernet1/0/26, changed state to down

I would like to extract it like the below example:

Interface: Line protocol
Data Port: GigabitEthernet1/0/26
Stae: down

Hoping for your help. Thank you in advance.

Thanks,
Pete

jochen · May 20, 2018, 5:12pm

Using the (only) example you’ve given, you could create a Grok pattern (or a regular expression) matching that message, for example:

%{GREEDYDATA:interface} on Interface %{GREEDYDATA:data_port}, changed state to %{GREEDYDATA:state}

peter.legista · May 20, 2018, 5:22pm

Hi jochen,

I have tried creating grok pattern however the fields that i created does not show up when expand logs to see the contents. It always same fields, the new fields created from grok pattern does not showing up.

Do you know why is not showing up ?

Thanks
pete

jochen · May 20, 2018, 5:50pm

Without further information? No.

Please post all relevant configuration and a few example messages.

peter.legista · May 20, 2018, 9:54pm

Thanks Jochen,

I got what you mean and it seems to work now.

Thanks again and have a great day!

Regards,
Pete

peter.legista · May 28, 2018, 10:22pm

Hi Jochen,

Just want to ask if there should need to do after adding extractor using Grok pattern. I already added a new extractor using Grok pattern however the suppose to be new fields from the extractor i made were not showing up on the fields of message.

Thank you

system · June 11, 2018, 10:35pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.