Parsing Data from Multiple Sources


(Travis) #1

We have a Graylog 2.2.1 install that’s running well, but I’m struggling to understand how to go about parsing message data into specific fields when multiple message sources are involved and each of those sources has a different format. I’ve got our spam filter sending syslog data to rsyslog, which is running on our Graylog node – rsyslog then forwards the messages on to a Graylog Syslog UDP input. I set up extractors on that Graylog input to parse the spam filter syslog message and split the data into fields so that I can create dashboards from the data and to make the GeoIP processing work, but those extractors are specific to the spam filter’s message format.

How do I set up Graylog in a way that’s scalable and flexible enough to handle a large number of syslog sources, each with different needs for extracting message data into specific fields? It seems excessive to create an input running on a different port for each device sending data


(Jan Doberstein) #2

Hej @TechGy

you could for example create for each specific Source one Input that hold only the extractors. Or just use the Processing Pipelines for that and use the ability to run separation on various fields and values.