Old content pack import failed in graylog 4.3

tmacgbay · January 5, 2023, 4:10am

If that is your plan, you really need to be super efficient. I see this as working out in stages…

Pipeline rules Stage One - break out the following into fields:
(allowing the message to pass to stage two if at least one rule matches)

syslog_priority
syslog_version
timestamp_c (don’t get it confused with the Graylog Timestamp)
log_type

Then in Stage Two you can create a series of rules that only act on the message if it’s relevant so here are examples:

rule "Cisco - LineProto"
when
   to_string($message.log_type) == "LINEPROTO-5-UPDOWN"
then
   <script that GROK's the data after LINEPROTO-5-UPDOWN into the correct fields>
end

rule "Cisco - Link-Updown"
when
   to_string($message.log_type) == "LINK-3-UPDOWN"
then
   <script that GROK's the data after LINK-3-UPDOWN into the correct fields>
end

rule "Cisco - Link-Changed"
when
   to_string($message.log_type) == "LINK-5-CHANGED"
then
   <script that GROK's the data after LINK-5-CHANGED into the correct fields>
end

Topic		Replies	Views
How to collect cisco switch log on graylog? Graylog Central (peer support)	11	25102	January 23, 2018
Cisco Catalyst switch log on Graylog 2.4.5 Graylog Central (peer support)	3	1823	July 27, 2018
Cisco Catalyst for Graylog Content Pack content-pack	0	3232	March 7, 2022
How to collect cisco wlc logs to Graylog Content Pack content-pack	1	2215	September 28, 2022
Cisco Logs \| Graylog Graylog Central (peer support)	11	6846	February 3, 2018

Old content pack import failed in graylog 4.3

Related topics