Parsing Logs On Graylog


(Ayoola Ayooluwa) #1

Good day dear friends, please am new on graylog. I have been able to successfully forward logs to graylog. But i can only see the raw logs under “message”. Please how do i extract the fields i would like to see from the message. fields like source ip, destination ip, source and destination ports and all. Thanks


(Jochen) #2

You can create custom extractors or pipeline rules to split the raw log message into the structured attributes you want to query:


(Ayoola Ayooluwa) #3

Thanks, i checked the documentation already. it worked for the test message. but i was expecting to see the field i created when i check System>Inputs and click on a stream but it still didnt.


(Ayoola Ayooluwa) #4

Is there a way i can make the field global so i would be able to query it anywhere? Thanks


(Ayoola Ayooluwa) #5

Thanks guys, i got it fixed. I really appreciate.


(Jochen) #6

Maybe you could describe what the issue was and how you’ve fixed it, so that other users can profit from your knowledge. :wink:


(Ayoola Ayooluwa) #7

Okay i will; thanks.


(Ayoola Ayooluwa) #8

I made use of extractors…

  1. Navigate to this System > Inputs > (Click on the Stream you want) > Manage Extractors > Create your own extractor.
  2. I added this under the grok pattern: src=%{IP:Source} and i extracted it.
  3. Went back to Start Input to refresh and see the changes made.
  4. Then i showed the received messages and it worked perfectly fine.

I hope this works for you guys. I would keep working on others though-source and destination ports and all


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.