You could use the key=value copy extractor (http://docs.graylog.org/en/2.0/pages/extractors.html#automatically-extract-all-key-value-pairs)
That gets all the data into fields. Then after that, it depends what you want to achieve. On Monday, 22 August 2016 13:10:42 UTC+1, Aleksey Chudov wrote: > > Hi, > > I've searched Google and Graylog Marketplace for a plugin to parse Linux > audit log messages with no success. > > Some details about audit logs > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html > > Actually, audit event consists of three records, which share the same time > stamp and serial number. Each record consists of several name=value pairs > separated by a white space or a comma. > > What is the best way to parse audit log messages? I'm thinking of writing > custom Graylog plugin. > > Regards, > Aleksey > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/73087615-744a-448c-9fe1-4e97c33e255d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
