Replacing the Name in the Source Field

Graylog Central (peer support)
1

Hi all, sorry for posting about something that’s been asked before, but I’ve been through the docs, and old form posts, and I don’t seem to be able to figure out my issue.

I’ve set up a UDP syslog listener, and configured a Unifi Controller to send logs from my wireless access points into Graylog. This is working, but the source names are not super descriptive (things like “U7PG2,788a215xcaf5,v4.0.59.10615:”).

I’m trying to set up a pipeline to set the source to something else. Here’s what I’ve done so far:

  1. Under System > Pipelines, I’ve created a new pipeline. The pipeline is connected to the All Messages stream
  2. Under rules, I’ve added a rule to transform the source field. I’ve tried a LOT of different things, here, and haven’t been able to get anything to work. Here’s the current rule I have in place:

rule “AP1”
when
$message.source == “U7PG2,788a215xcaf5,v4.0.59.10615:”
then
set_field(“source”, “AP1”);
end

  1. In stage 0 of the pipeline, I’ve added the rule I created.

I can see in the pipeline that messages are going through, but I don’t see the transformation being applied. I think that I’m missing something somewhere else in the configuration, but I’m not sure where to look next. Can anyone point me in the right direction?

Thanks!

2

Hello,

  1. You probably didn’t use search very hard, check this topic:
    Change source name through pipeline example?

  2. Your rule condition has 2 problems: First you don’t use function to_string($message.source) which is neccesary. Second you use too specific condition, if you update firmware your condition will not match. I suggest to change condition to something more descriptive like:
    contains(to_string($message.source), "U7PG2,788a215xcaf5") or only
    contains(to_string($message.source), "788a215xcaf5") which is probably mac address of AP

  3. You can also use lookup table if you have many APs, create CSV file and use function lookup_value()

3

Hey, thank you so much for the guidance! I managed to get it working as follows:

rule “AP1”
when
to_string($message.source) == “U7PG2,788gt050as3w,v4.0.54.10625:”
then
set_field(“source”, “AP1”);
end

I’ll try using the contains method as you described. I like the idea of not updating the rules when the firmware changes.

Thanks again!

4

One thing that I noticed, which I think was part of my confusion, is that it seems to take a while for the changes in the pipeline to kick in. I got into work today, after leaving this in it’s previous state for about 5 days, and found that it was working (using function to_string($message.source), as you described).

Is there any reason for the delay in changing the pipeline, to seeing the changes in the search?

5

he @brigzzy - as the changes are instand, I guess your messages are not “sync in time” and that is the reason it appears to be not in sync.

Check the time on your devices

6

Thanks Jan, that’s definitely the issue. The devices are in UTC, and the Graylog server is in PST. Looks pretty instant now!

Cheers!

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.