Ingesting CSV files

JRorrim · March 22, 2018, 2:12pm

Hi,

We’re attempting to ingest CSV files from a few different sources, but as an example generally they are structured as below:

ID,AuditIndex,Authentication,CSPSessionID,ClientExecutableName
User1,1865062,Password,WjqwJMukW2,CSPap.so
User2,1865063,Password,RfkqkMruqM2,CSPap.so

In attempting to write pipeline rules to properly break up and label all these values, the issue I’m running into is that there doesn’t seem to be any functionality that allows me to loop through all lines ingested to apply these rules. Using a lookup table to temporarily store and process won’t work for me either, as the CSV I’m ingesting uses no quote characters and the CSV data adapter doesn’t seem to like this.

Is there any way to loop through pipeline rules in the current graylog version that I’m not seeing? Or am I approaching this the wrong way entirely?

Thank you-

jochen · March 22, 2018, 2:53pm

You would send each line from the CSV file to Graylog (for example with Filebeat) and can process each message with a Grok pattern matching the columns of your CSV file.

JRorrim · March 22, 2018, 5:34pm

If I were to simply echo the contents of the file line-by-line and send via nc, would that accomplish the same thing more or less?

jochen · March 22, 2018, 5:59pm

Yes, as long as you’ve started an input receiving this data in Graylog (e. g. Raw/Plaintext TCP or UDP).

JRorrim · March 29, 2018, 7:25pm

Hi again,

My apologies for my ignorance and hopefully it’s okay I’m responding a week after the thread was opened - I can’t seem to get a Grok pattern figured out for the CSV I’m ingesting. I can’t seem to find any samples or anyone else needing the same things on the forum, either. I feel like I must be looking at this the wrong way.

Example of the data formatting-

ID,AuditIndex,AuthType
1865062,904456,Password

jochen · March 30, 2018, 1:58pm

What did you try so far and what was the result?

JRorrim · April 5, 2018, 12:53pm

Hi,

I wrote a small grok pattern just as a sort of test to see if it would parse out the first field of my data, and it does - however upon trying to save the pattern I get this error kicked back from Graylog:

Could not save Grok pattern
Saving Grok pattern “CSV test 1” failed with status: cannot POST http://10.10.50.30:9000/api/system/grok (400)

I assumed this was a problem with my pattern but is there maybe a larger issue with my Graylog install?

jochen · April 5, 2018, 1:22pm

Check the logs of your Graylog nodes.
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

JRorrim · April 5, 2018, 1:48pm

Thanks man, will do. Appreciate it

system · April 19, 2018, 2:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingesting IIS/Exchange CSV Graylog Central (peer support) pipeline-rules	6	1831	February 21, 2020
Using CSV lookup table to create more fields in message stream? Graylog Central (peer support) pipeline-rules	6	341	November 27, 2023
Pipllines and the grok-function Graylog Central (peer support) pipeline-rules , grok-patternspl	4	3751	February 2, 2022
Pipeline rule is not working Graylog Central (peer support) pipeline-rules	2	442	May 7, 2020
Using a CSV lookup table within a pipeline Graylog Central (peer support) pipeline-rules , debuggingpl	19	6129	January 26, 2018

Ingesting CSV files

Related Topics