Parsing syslog messages


(John Reyes) #1

Hey there

is there a way to set the source in the syslog message to be the ip form which it arrived, and not the one the device enters as source?

i have a lot of devices, that sets their username as source, instead of their ip or hostname, which makes it very difficult to extrapolate the logs…

b4 i used netxms as syslog parser, and i could change it so…


(Jochen) #2

Yes, you could copy the content of the “gl2_remote_ip” field (which contains the IP address of the client which sent the message to Graylog) into the “source” field using a Copy Input extractor or a pipeline rule (set_field()).


(John Reyes) #3

than!

im new to graylog, but i will give it a go


(John Reyes) #4

hmmm any pointers, or ref to the documentation?

cant seem to figure out how to build the extractor (which field, and what type?)


(Jochen) #5

I mentioned the field names and the Extractor type in my first post…


(John Reyes) #6

hmmm here is an example of the messages that does the problems:

i dont see the gl2_remote_ip field? or any other field i can extract the source ip from.

sorry for sounding n00b, but im all new to graylog


(Jochen) #7

Fields prefixed with “gl2_” are hidden by default.

I’d recommend using a pipeline rule to to overwrite the “source” field.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.