Syslog TCP input normalization

running version 4.2x
i know in past i could disable the normalization of logs on input syslog tcp, i think it was using kv but i cant remember where i could disable or remove that now. due to all fields get in string and i want to use pipeline rules i created for the normalization . mayby not possible now in newer versions of graylog to disable/remove that default parsing? sure i can use raw syslog input for this…

// Anders

Hello @dio99

Only thing with the newer version that I see is “Delete” an extractor or pause the INPUT.

It’s not clear to me on what you end goal is, could you explain it in greater detail?

Hellu i want to use my own rules to normalize the logs that are normalized on the syslog tcp input, by default it parse it and set all fields to string.
so i want to stop the parsing that is done on the syslog input by default, this not in any extractor since that is empty.


I see, if you referring to the default fields such as timestamp, message, etc… then you would need to create a new index template and attach it to new index set.

Here is a couple ideas depending on this environment. It is possible to change specific fields type from string to integer (or float). this can be done using the curl command in Elasticsearch.


First you would get the mapping

curl -X GET "localhost:9200/graylog_1600/_mapping?pretty"

Then adjust those fields as needed.

curl -X PUT "localhost:9200/graylog_1600/_mapping?pretty" -H 'Content-Type: application/json' -d'
  "properties": {
    "email": {
      "type": "integer "

Or use a Pipeline something like this.

If your going the pipeline route @tmacgbay would know better then I would.

Hope that helps

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.