Hi Jan,
Please see below sample message from our Cisco-ASA. My requirement is to correct the source field to show "Cisco-ASA" instead of “Nov” as what Graylog shows currently.
So, In order to fix / overwrite the source field of my incoming cisco syslog messages, i wrote the below 3 pipeline rules (per your advice on other similar posts ) and tried each of them one by one yet none of them were able to overwrite the source field. The source in the messages still continues to show as Nov (month) Can you please help what is wrong with the below pipleline rules? Do we need to reboot or run sudo graylog-ctl reconfigure after adding pipeline rules for them take effect ?
rule "Correct CiscoASA hostname"
when
has_field("local_facility") AND contains( "asa")
then
set_field("source", "Cisco-ASA");
end
OR
rule "Correct CiscoASA hostname"
when
has_field("source") AND contains( "Nov")
then
set_field("source", "Cisco-ASA");
end
OR
rule "Correct CiscoASA hostname"
when
contains(to_string($message.gl2_remote_ip), "192.168.1.10")
then
set_field("source", "Cisco-ASA");
end
Sample message:
