The Sophos UTM remote syslog capabilities use a non-standard message format. Importing them into Graylog requires the use of a “Raw/plain text” input (either TCP or UDP will be fine) together with a extractors parsing the lines into the standard syslog fields.
The extractors in this repository will do the following:
- Extract the fields
process_id(only if present in the line; e.g. it won’t be with kernel messages) and
- modify the
messagefield not to contain the fields extracted in step 1.
As the change in step 2 is destructive, the extractor named
Syslog field "message" must be the last extractor in the list.