Reprocessing logs


Hi !

I have a graylog 2.5 deployed, which receives logs from network equipments. Each kind of equipment has a different input, and received logs are processed by grok patterns.
After some modification on the grok pattern of an equipment, I have to reprocess at least a part of the log with the new grok extractor.

  1. Since I have found no way to reprocess logs from the Graylog interface, my idea is to remove the log to reprocess from the elasticsearch DB, and to reinject them to graylog. Do you think it’s the right way to do it ?

EDIT : about the 2, with an extractor, I have been able to define the right timestamp, so this point is done
2) Currently I work on a test infra. When I want to inject my logs inside my test graylog, of course, the timestamp given by graylog is the current one and not the one from the logs. Since the timestamp is also defined inside the log entries by the network equipments, my idea is to get it, with my grok pattern. So inside my grok pattern, I have written something like “%{NOCOMMA:timestamp}” (it’s in a field delimited by commas). However, my logs don’t seem to have the good timestamp. Do I need to add something ?

Cheers :slight_smile:


(Jan Doberstein) #2

reprocessing of logs is not possible. Graylog (and ELK) does not allow to reprocess logs as the original logs are not saved somewhere.