Hello, I have several services that log JSON via syslog. In order to receive these messages in Graylog2 I wrote a drools rule to add all JSON keys as message fields; so far everything works fine.
Only problem: as far as I can tell the StreamMatcher filter always runs first, so I cannot use the new fields for streams. What is the "right" or intended way to solve this use case? Do I have to use Message::setStreams() in the drools rule (then I would have to hard-code their IDs)? -- Or should I write an input plugin instead? BTW, writing extractors via the web UI would be much easier if Graylog could automatically parse (RFC3164-)Syslog messages, i.e. the hostname and tag/program fields. -- Martin -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
