Hi,
this is probably something obvious, but I’m having trouble figuring where to start. I’m not native english speaker so I kinda struggle with what I’m actually looking for is called to look up a tutorial.
I have around 15 hosts from my home network sending logs to graylog. Inside graylog I have a stream called librenms, which only receives messages filtered according to rules I set which I integrate into my LibreNMS install. So far so good.
One of the hosts (TrueNAS running on FreeBSD) sends the log messages such as this: turbofreenas 1 2021-04-04T11:36:00.172542+01:00 turbofreenas.lan /usr/sbin/cron 21182 - - (root) CMD (PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" midclt call cronjob.run 1 true > /dev/null 2> /dev/null)
Is there any way how I can cut off the turbofreenas 1 2021-04-04T11:36:00.172542+01:00 turbofreenas.lan part from each message from this host before passing it to my stream? Such as via a regex like with the filters, but before it even gets to filters?
Graylog already correctly pulls the host name and timestamp from the message, so it ends up displaying the info twice such as this:
Is there any way how I can cut off the turbofreenas 1 2021-04-04T11:36:00.172542+01:00 turbofreenas.lan part from each message from this host before passing it to my stream
My initial thoughts are that you could do that with a pipeline, but I think I’d rather know more about what you’re using for those other messages when it comes to ingesting them. They’re certainly not in a valid syslog format, so I can only assume you’re using something like a raw/plaintext input to ingest those messages. If your TrueNAS host is sending valid syslog messages, then you’re necessarily going to have to do some sort of processing if you want them to look the same as the other messages. But then at that point, you’re also basically doing away with the syslog formatted messages.
Sorry for the late reply, but I don’t use the messages for anything fancy.
Basically I’ve got a LibreNMS dashboard running on a spare monitor, amongst others a Graylog component displaying 1 stream.This stream is result of filtering syslog messages from 15 hosts through ~300 rules after which I’m left with any messages not pertaining to normal operation, such as any network outages, crashes, dhcp connections from nonfiltered hosts, windows update logs, smart attribute changes on the nas etc.
As for what I’m using it it already works and does what I want, this all purely cosmetical as I’d like all messages formatted the same.
The message I screenshoted would be not displayed in my stream as it’d be filtered.
On the nas system I can’t edit the syslog-ng config directly as any changes to root filesystem are discarded by the system on update which would not make this long-term viable solution.
The only options I have on the NAS side in regards to syslog are these:
If I check the FQDN one the only thing it changes is the very first mention of the hostname will display as fqdn, ie where now it says turbofreenas 1 etc etc, it would say turbofreenas.lan 1 etc etc this is not desirable as my librenms install queries the hosts as non-fqdn hostnames and for the hostnames in the graylog component to be clickable they need to be non-fqdn coming from graylog too.
At the end of the day I’m just a hobbyist with a homelab and obsession of watching graphs and logs, it’s nothing that important.
