Good morning everyone, I’m new to Graylog and I’m struggling a bit with the parsing of messages. I tried to read some documentation and various posts/videos and I understood that I should use pipelines instead of extractors (?)
I’m receiving syslogs from a Sonicwall Firewall, and the example messages are structured like this:
id=Sonicwall sn=1234567890 time="2025-03-03 11:20:26" fw=X.X.X.X pri=6 c=16 gcat=4 m=994 msg="Configuration mode administration session started" src=X.X.X.X::X0 dst=X.X.X.X:1234:X0 usr="admin" proto=tcp/1234 note="admin at SonicOS API from X.X.X.X" n=2
The search function is fantastic but I’d like to be able to split these values so that I can search for e.g. “gcat” as a key instead of just a text
Luckily the log is already composed by keys and values, but unfortunately there are some spaces inside the values and I don’t know how to manage these. I’m trying with some grok patterns and I can extract something, but I was wondering if you think this is the right way? Do you have any suggestion about the best/easiest way to handle messages like this?
Thanks in advance for your kind help!
Paolo