Source Name Identification

mr_m_cox · March 22, 2017, 12:17pm

Hi All,

I have got graylog configured to get both Windows Event Log and IIS logs.

The problem I have is that it is showing two different sources, The IIS source is the machine name and the Event Logs are the FQDN of the server (machinename.domain.com).

How can I get it to use one or the other for all logs from a given server, irrelevant of source within that server?

Thanks.

maniel · March 22, 2017, 1:22pm

you can always set source field with an extractor (you can emulate simple if with conditional extraction) or pipeline rule

mr_m_cox · March 22, 2017, 1:27pm

Hi,

Thanks for the reply.

That sounds great, could you explain a little more or link to a good doc about this

Thanks.

maniel · March 22, 2017, 1:45pm

In my case, due to deployment through docker and it’s internal network magic my UTMs got mixed up and had weird IP’s in their source field, but I was able to identify each by other data like serial number etc, so i made couple extractors, one for each UTM, which are assigning some arbitrary text to source field, like fw1, fw2 basing on existence of sn=serialnumber text in message field,
so you can make a “Replace with regular expression” type extractor for source field, selecting “Only attempt extraction if field contains string” and insert source name you want to change, “.*” in “Regular expression” field and desired source name in “Replacement” field, that’s all

mr_m_cox · March 22, 2017, 1:49pm

OK, so will that mean that on the sources page my listed “Selected Sources” wont duplicate or will it still see two?

mr_m_cox · March 22, 2017, 1:50pm

I can answer that, I now have 4!

name
name.domain
name.domain
name.domain.domain

maniel · March 22, 2017, 1:52pm

sources page lists things from source field of your messages, so setting this field for all future messages to desired name means you’ll see only desired name in this page

mr_m_cox · March 22, 2017, 1:59pm

ok cool, thanks.

Anyway to purge the sources on demand to clear any that no longer exist? I assume with the extractor in place it should clear some.

maniel · March 22, 2017, 2:06pm

by default it shows last hour’s messages’ sources, extractors doesn’t work with old messages (no way to change past messages), so if you fixed the problem with (working) extractortor you can get rid of old source names by deleting old messages or just wait

mr_m_cox · March 22, 2017, 2:10pm

The problem I am having is that the extractor is applying to both-

name
name.domain

meaning I end up with
name.domain.domain.

maniel · March 22, 2017, 2:25pm

because it matches both occurrences, try regular expression condition, be sure to create expression matching only one occurrence, without “.domain”

Topic		Replies	Views
Replacing the Name in the Source Field Graylog Central (peer support)	6	6356	November 8, 2019
Messaging pipeline not changing the source field Graylog Central (peer support)	3	1720	March 3, 2018
Souce name resolution OR change name of sources Graylog Central (peer support)	1	3033	March 27, 2017
Tracking message source when using output to forward to another Graylog server Graylog Central (peer support)	10	927	February 18, 2022
Domain name in source field? Graylog Central (peer support) pipeline-rules	13	5869	September 25, 2021

Source Name Identification

Related topics