Thanks for the suggestions Jochen. I have tried the first suggestion: Created a RAW/Plaintext input and a set of extractors to parse the archived syslog files. I managed to modify the "message" field but the source shows the hostname of our syslog master and the timestamp is when I ingested the test message. I was hoping to have the source and timestamps be the ones from the archived syslog entry:
For example: Sep 13 00:00:50 srvback60 SQLAnywhere(nb_westback): [ID 702911 user.notice] Finished checkpoint of "NBAZDB" (NBAZDB.db) at Sun Sep 13 2015 00:00 I want Graylog to reflect the timestamp (Sep 13 00:00:50) and source (srvback60) shown in this archived entry. Is this possible? Any other words of wisdom that might point me in the right direction? Has anyone else done this? Thanks, Steve. On Wednesday, September 30, 2015 at 1:49:26 AM UTC-7, Jochen Schalanda wrote: > > Hi Steve, > > the easiest way to ingest old log files is sending them via netcat, nxlog, > or logstash to Graylog. In case of netcat, you'll probably need a > Raw/Plaintext input and a set of extractors in Graylog. In case of nxlog or > logstash you could pre-process the logs (e. g. parse them and create a > structured format) on the system itself and then send them to a GELF input > in Graylog without the need for separate extractors. > > > Cheers, > Jochen > > On Wednesday, 30 September 2015 10:43:05 UTC+2, Steve Kirkpatrick wrote: >> >> I have been testing out Graylog 1.2.1 using the VM appliance. I have >> pointed one of my syslog-ng servers at Graylog and all is working as >> expected. >> >> Next, I would like to load some of my archived syslog files into Graylog >> so I can search on older data. Is this possible? If so, what is the >> best/easiest way to do this? >> I have seen some references to using "nc" but not sure of the details on >> how to do so. >> >> Any pointers are appreciated. >> >> Thanks, >> Steve. >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/378c8315-8060-4560-9e07-1d7cdf402d93%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
