Wrong Source ID for Aruba IAP 215 Logs

Hi,
I have an Aruba IAP (Instant Access Point) network sending logs to my Graylog server. Its working fine but the source ID of the logs received from the IAPs is set to “2018”. Graylog is actually using the year of the IAP’s date as the source ID.
I have reached out to Aruba and they confirmed that it is not possible to change the way the IAPs are generating the logs, so I’m looking for a way to change the source ID in Graylog.
Here is the link to the topic I wrote on Aruba Airheads community : https://community.arubanetworks.com/t5/Controllerless-Networks/Source-ID-Logs-IAP-215/td-p/388361

There is already a post on this exact problem here : Messaging pipeline not changing the source field . In this post they are using pipeline rules but there is no feedback on whether its working or not.

I’m looking for a way to change the source ID and make it display the name of the Wireless Virtual Controller or anything more specific than “2018”.
I’m not familiar with Graylog, is using pipelines the way to go ? Or is there an easier solution (an extractor for Aruba IAP for example) ?

Any help would be much apreciated, thank you.
Medjaÿ.

I assume that you’re using a Syslog UDP or Syslog TCP input. These inputs have a configuration setting to store the original syslog message in the “full_message” field so that you can use extractors or pipeline rules to parse the “full_message” field (or copy the parts you’re interested in) to override the message fields you want to change.

Thank you for you answer.
So the way to go is to store the whole log message then use extractor or pipelines to generate a message with the value I want in the source ID field, right ?
Is there any difference between extractors and pipelines ?
Is the pipeline used in the post linked previously correct ?

Yes.

Both can be used to modify messages. The processing pipelines are newer than the extractors and provide the capabilities for more sophisticated filtering/data extraction at the cost of more complexity.

Take a look at the Graylog documentation for more details:

1 Like

Ok problem solved then,
thank you very much for your time !
Bye,
Medjaÿ

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.