I’m trying to configure a Netgear switch to output to Graylog, however, it appears that the message output from Netgear is almost but not quite rfc5424 compliant. Its timestamp contains a trailing colon which makes the message not parse-able by Graylog.
If I change the message to omit the trailing : after the Z in the timestamp, the message is appropriately parsed by Graylog.
I realize that this is not a Graylog problem, but unfortunately Netgear doesn’t give any control over the configuration of the syslog messages that it sends.
2. What steps have you already taken to try and solve the problem?
FWIW, I tried experimenting with pipelines, but it doesn’t look like pipelines get executed early enough in the Graylog intake process.
3. How can the community help?
So my question is, is there anyway to setup an input in Graylog that accepts this message and messages it into the correct format before Graylog attempts to parse it as an rfc5424 message?
I would just use one of the raw inputs, and then deal with it all in pipelines. Pipelines will make quick work of it, and the raw input won’t try and do anything with parsing, it will just pass on whatever it gets.
I think that I’m getting close. I setup the Raw UDP input and I got messages from the switch flowing to it.
I’ve created a regular expression pipeline that selects that input and then should replace Z: with Z.
However, is there a way to get a pipeline to push the results of one input back into another input?
I guess I’m hoping that now that I’ve fixed the syslog formatting issue with the Raw Input, I could just push the output of that back into the UDP syslog input and have it parse it like normal, rather than setting up an extractor and doing all of the syslog parsing myself.
Theoretically, but super messy. In that same pipeline rule you could do any extraction into fields, dont need to mess with extractors. How do you want it to send up looking?
I essentially want it to end up in the same index that I use for all of my other networking syslogs and in the same format that syslog messages usually show in.
So I guess I’m looking to extract facility, facility_num, level, log_source, and timestamp.
It would also be nice if I could use the pipeline to control which index it went into as well.
Nice! For everything you capture with the grok pattern you can use set_fields if you want and it will just create all the fields based off the names in your grok that you used for the named captures.