Source Field shows wrong value


(Steffen) #1

Hello all,

I read all the similar topics here in the community but nothing helped for me…


how can I change the value of the default source field? I got some firewalls and FTP-Server, they got the Log-Date in the source field instead of the device name. I want to change that.


in the message field i got the key-value pair devname=blablabla and I would like to have that “blablabla” in general in my source field.


How is the easiest way to implement this? Which extractor should I use and how should it look like?


Thank you so much!


BR
Steffen


(Jochen) #2

I assume that you’re using a Syslog UDP or TCP input to ingest these messages.

If the automatic heuristic doesn’t extract all fields correctly, you can store the raw message (see configuration settings of the Syslog input) and use extractors (regular expression or Grok) to extract the correct fields.


(Steffen) #3

Hi Jochen,
thanks for your quick response.
That is I good idea, thank you! I’ve changed the Input for the FW’s now to Raw/Plaintext UDP.

After that I got the IP Adress in the source field. That’s much better than the date of the Log.
To pick the Device name out of the message field I used a Grok pattern extractor.

It would be nice if I could now replace the IP in the source field with the device name.

Thank you!


(Jochen) #4

If the device name is part of the syslog message, you can extract it (using a regular expression or Grok patterns) and put it into the “source” message field.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.