Parsing Logs On Graylog

Good day dear friends, please am new on graylog. I have been able to successfully forward logs to graylog. But i can only see the raw logs under “message”. Please how do i extract the fields i would like to see from the message. fields like source ip, destination ip, source and destination ports and all. Thanks

You can create custom extractors or pipeline rules to split the raw log message into the structured attributes you want to query:

Thanks, i checked the documentation already. it worked for the test message. but i was expecting to see the field i created when i check System>Inputs and click on a stream but it still didnt.

Is there a way i can make the field global so i would be able to query it anywhere? Thanks

Thanks guys, i got it fixed. I really appreciate.

Maybe you could describe what the issue was and how you’ve fixed it, so that other users can profit from your knowledge. :wink:

Okay i will; thanks.

I made use of extractors…

  1. Navigate to this System > Inputs > (Click on the Stream you want) > Manage Extractors > Create your own extractor.
  2. I added this under the grok pattern: src=%{IP:Source} and i extracted it.
  3. Went back to Start Input to refresh and see the changes made.
  4. Then i showed the received messages and it worked perfectly fine.

I hope this works for you guys. I would keep working on others though-source and destination ports and all

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.