What do you mean with "I'd like to parse "Lab_Syslog" "Test Device" and "Offline" to be able to send an alert"? Do you want to send an alert every time a message that includes these three terms appears?
On Thu, Jul 10, 2014 at 3:17 AM, Bjørn Jensen <[email protected]> wrote: > Hello all, > I've tried searching for somebody with a similar issue but have yet to find > it. Let me explain what I'm trying to do and then explain where I'm getting > stuck and maybe somebody can help. > > I'm trying to receive very specific syslog events from hundreds of different > SonicWALL routers that have been set to monitor a network device's up/down > status and send a Syslog event when an even occurs. An example input > event/stream I receive on Graylog2 is: > id=Lab_Syslog sn=0017C567CA30 time="2014-07-09 19:41:39" fw=73.179.217.255 > pri=1 c=0 m=706 msg="Network Monitor: Host 192.168.12.250 > (Policy:TestDevice) is offline" sess=None n=4 > > Using the above as the example, I'd like to parse "Lab_Syslog" "Test Device" > and "Offline" to be able to send an alert to a specific email address, or > group of email addresses, to alert them of the outage. I managed to do this > on Splunk but would rather do it here. I've tested and my email settings > are working. I'm getting stuck even setting up a basic rule. > > When I enter the message ID "Lab_Syslog" and the index "graylog2_0" and > click "Load Message" I receive an error stating: " Error Could not load > message. Make sure that ID and index are correct." I figured that once I > got past that point I'd be able to see if I could somehow parse the > information and create the alert I needed above. > > So, that being said I have two questions: > > 1.] Is what I'm trying to do even possible? > 2.] If so, why am I unable to even create a rule? > > It's quite possible that I just flat out don't know what I'm doing, I accept > that. Any help would be kindly appreciated. Thank you! > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
