Log Extractor Help

I am new to Graylog, so please be gentle.

OS: Debian 11
Version : Graylog v5.0.6

I am pulling in logs from Cimtrak; I have the input setup and the logs are comming in. So I am trying to setup an extractor, so they are easier to read as well as create dashboards and notifications.

example log -

<134>CEF:0|Cimcor|CimTrak|4.1.30.0|S_LOGMSG_0000000045|Syncing of monitored object group has started.|| start=2023-04-10 17:38:07 deviceExternalId=sash->live-server->www cimtrakUser=live-server(c44229b0-6d10-4ed5-ba81-bb77a973f69a) src=10.64.1.24 shost=live-server filePath=/var/www/vhosts/xxxxxxx/httpdocs/app/design/frontend/default/xxxxxx/template/xxxxxx/customer cs2Label=Raw Data cs2=Sync Started

I was trying to use Grok to segement the data, but I do not think I am doing this right.

%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}
%{WORD:cef} %{NUMBER:cef_id}|%{WORD:cimcor}|%{WORD:cimtrak}|%{VERSION:cimtrak_version}|%{WORD:S_LOGMSG_0000000045}|%{GREEDYDATA:cimtrak_message}
%{WORD:start}=%{TIMESTAMP_ISO8601:start_time}
%{WORD:deviceExternalId}=%{WORD:device_external_id}
%{WORD:cimtrakUser}=%{WORD:cimtrak_user}
%{WORD:src}=%{IPADDRESS:src_ip}
%{WORD:shost}=%{WORD:shost}
%{WORD:filePath}=%{WORD:file_path}
%{WORD:cs2Label}=%{WORD:cs2_label}
%{WORD:cs2}=%{WORD:cs2}

Any suggestions, or point me in the right direction, I would greatly apricate it.

Thanks

Hello && Welcome @robsch56

Have you tried to use different INPUT’s ( ie.,GELF)? If so, then I see your trying to create timestamp,message fields. If this is correct, I would change it to something else. Those are elasticsearch/opensearch default fileds and sometime will not take. If you have done this already, I would look into pipeline which I think would be your best bet for something like this.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.