Parsing syslog messages

(John Reyes) #1

Hey there

is there a way to set the source in the syslog message to be the ip form which it arrived, and not the one the device enters as source?

i have a lot of devices, that sets their username as source, instead of their ip or hostname, which makes it very difficult to extrapolate the logs…

b4 i used netxms as syslog parser, and i could change it so…

(Jochen) #2

Yes, you could copy the content of the “gl2_remote_ip” field (which contains the IP address of the client which sent the message to Graylog) into the “source” field using a Copy Input extractor or a pipeline rule (set_field()).

(John Reyes) #3


im new to graylog, but i will give it a go

(John Reyes) #4

hmmm any pointers, or ref to the documentation?

cant seem to figure out how to build the extractor (which field, and what type?)

(Jochen) #5

I mentioned the field names and the Extractor type in my first post…

(John Reyes) #6

hmmm here is an example of the messages that does the problems:

i dont see the gl2_remote_ip field? or any other field i can extract the source ip from.

sorry for sounding n00b, but im all new to graylog

(Jochen) #7

Fields prefixed with “gl2_” are hidden by default.

I’d recommend using a pipeline rule to to overwrite the “source” field.

(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.