Hello,
i am new around here hopefully i’ll manage to get some answers!!
so, we have a syslog input that receives messages, im trying to parse them
to have new fields by using extractors.
i am using usually grok patterns for this which work perfectly fine, however
i have created a pipeline rule that sets a new geolocation related fields to the logs.
thing is it works with another input i am running but that input is HTTP GELF input .
now when i’m trying to configure a json extractor from a grok pattern i get a message saying that “Nothing will be extracted”.
i followed instructions as in this video (other than the fact he’s using regex and i’m using a Grok pattern)
JSON Extractor - YouTube.
as for the pipeline rule, here’s the rule i created :
rule “GeoIP lookup:src=”
when
has_field(“Ip_address”)
then
let geo = lookup(“geoip”, to_string($message.Ip_address));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end
as i mentioned before it works well with another input i have that is HTTP gelf,
(i didn’t even have to create extractors for it)
here are some more details (sensitive details had been blanked out)
this is the message :
message
id=firewall time=“2023-06-19 07:45:17” pri=6 fw=********* vpn=PSA1 user=System realm=“*" roles=“” proto= Ip_address= dst= dstname= type=vpn op= arg=”" result= sent= rcvd= agent=“” duration= msg="AUT23278: Browser realm restrictions successfully passed for ********** "
thank you in advance !