Hi, I am trying to convert from an ELK to Graylog, but I am not having much luck extracting useful information. I have a log in key value pair format, and have set up an extractor to copy input and then convert using key value pair. it does not work. the log entry looks like this:
hname auditd: date="Feb 26 18:18:28 2015 UTC",fac=f_http_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=2135,ruid=0,euid=0,pgid=2135,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=firewall.example.domain,event=proxy traffic end,service_name=http,netsessid=54ef6373000d8e32,srcip=1.2.3.4,srcport=23862,srcburb=internal,protocol=6,dstip=4.3.2.1,dstport=80,dstburb=external,bytes_written_to_client=246,bytes_written_to_server=528,rule_name=Netflix,cache_hit=0,request_status=0,start_time="Thu Feb 26 11:18:27 2015" As can be seen, this is straight key/value pair with comma delimited pairs and '=' to separate them. Some versions have quoted text, others do not. The logstash kv function worked fine against this. Is there any way to get graylog to do this? I tried grok but the log message can have different field names and I am nowhere near good enough at grok to do this. Appreciate any insight anyone can give for this, it's driving me nuts! -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
