Hello Everyone,
I find raw logs under “message” in graylog search, and I don’t find user name, src_ip, dest_ip, dest_application
. What change I should make and where, that these fields also appear separately?
Please how do i get the fields i would like to see from the message. fields like source ip, destination ip, source and destination ports and all.
This is for nginx logs.
Some log forwarder/input combinations in Graylog will break out SOME of the fields for you but for the most part that job is for you to build (in the Opensource Version) You can use Extractors and/or Pipelines to break out the message into it’s constituent parts. (Note the doc links are mixed there… not sure what version you are working with… the idea is the same though. You can search the forums for things like src_ip and you may find snippets of pipeline code or extractor explanations that may help. You can also look in the Marketplace portion of the forum for ideas and content packs that may get you the fields you want.
Sorry to be so generic… hope that helps to start!
