So I am running couple of Unifi Ap’s. They are coming into graylog. I can see the logs. But its not getting phrased. I have tried multiple things with pipline and etc. But can’t seem to get the logs to break down into seprate fields. So i can search the fields. Has anyone get it work correctly?
Hey @InfoSecUniversity,
How does the logs appear within Graylog, do you have an example?
Layout is like this.
Source
facility
facility_num
full message
level
message
timestamp
@InfoSecUniversity, what is the content of the message field?
Attached what’s in there. Since the forms only like 1 picture per replay. I’ll post the other three as well.
2
3
you need to learn what a grok pattern is:
Here is also some explanation:
I do not reommend to use th extractors however, please use the pipelines with your grok pattern.
I wrote a post how to build well performing groks here, in german though. The translation engine of your choice will do the job: