Mapping fields of a string message

Good morning everyone, I’m new to Graylog and I’m struggling a bit with the parsing of messages. I tried to read some documentation and various posts/videos and I understood that I should use pipelines instead of extractors (?)

I’m receiving syslogs from a Sonicwall Firewall, and the example messages are structured like this:

id=Sonicwall sn=1234567890 time="2025-03-03 11:20:26" fw=X.X.X.X pri=6 c=16 gcat=4 m=994 msg="Configuration mode administration session started" src=X.X.X.X::X0 dst=X.X.X.X:1234:X0 usr="admin" proto=tcp/1234 note="admin at SonicOS API from X.X.X.X" n=2

The search function is fantastic but I’d like to be able to split these values so that I can search for e.g. “gcat” as a key instead of just a text

Luckily the log is already composed by keys and values, but unfortunately there are some spaces inside the values and I don’t know how to manage these. I’m trying with some grok patterns and I can extract something, but I was wondering if you think this is the right way? Do you have any suggestion about the best/easiest way to handle messages like this?

Thanks in advance for your kind help!
Paolo

Don’t use GROK, use the built-in KV function Key Value Parser Delivers Useful Information Fast

1 Like

I’m sorry if I made you lose time, I excluded the key-value parser because of the spaces between quotes and I thought I had to manage them, but apparently the built-in KV function understands them. Tried this and worked really well, thank you very much!

rule "Parse SonicWall Logs"
when
    has_field("message")
then
    let parsed = key_value(
        value: to_string($message.message),
        delimiters: " ", 
        kv_delimiters: "="
    );
    set_fields(parsed);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.