Sophos UTM 9 extractors for standard syslog fields

dscryber · March 26, 2022, 8:36pm

Sophos UTM 9 extractors for standard syslog fields

@mbunkus

Graylog extractors for Sophos UTM 9 standard syslog fields

The Sophos UTM remote syslog capabilities use a non-standard message format. Importing them into Graylog requires the use of a “Raw/plain text” input (either TCP or UDP will be fine) together with a extractors parsing the lines into the standard syslog fields.

The extractors in this repository will do the following:

Extract the fields facility , level , source , application_name and process_id (only if present in the line; e.g. it won’t be with kernel messages) and
modify the message field not to contain the fields extracted in step 1.

As the change in step 2 is destructive, the extractor named Syslog field "message" must be the last extractor in the list.