We have FTP logs that we are aggregating in Graylog. The logs are formatted as such:
<Date/Time> User has logged in
<Date/Time> Added file
<Date/Time> Deleted file
etc.
What I would like to do is create a visualization, like a dashboard widget, that would basically look for the log that contains the user who has logged in and replace session IDs with that user name. Is there any guidance on how I can make this happen?
Thanks in advance.
Can you give an example of incoming logs that need translation ?
Do you have a data file or something similar that translates session ID to username?
The session IDs are assigned as they come in, so I can’t just create a flat file with them. I thought about using a pipeline to find messages with the word User and use a regex to pull the user name but I can’t find a way to associate it with the session IDs of other messages coming in.
Is there a way to add fields post-processing, like while I’m building the dashboard itself?
[02] Wed 09Mar22 15:17:03 - (000108) User “” logged in
[10] Wed 09Mar22 15:17:18 - (000108) Sending file
[12] Wed 09Mar22 15:42:29 - (000108) File deleted: “”
I don’t know of a way to connect them post processing - Its possible to set up a relatively static Lookup table or even make it dynamic (store values in MongoDB) if you have the enterprise license (Free for <= 2GB) I still am not clear on what a message would look like or where you get the connecting data for session id to name.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
