Indeed! I did not notice this when first reading your mail: Message ID is not the content of the field "id" in your example. Rather, it is the unique uuid graylog2 assigns to each message. The "load message" button needs that uuid. Do a search for a message you are interested in. Then click on the message in the result table, and copy the uuid that shows up in the sidebar on the right (you can click the envelope icon to copy the message id to the clipboard). Take note of the index name, too.
Enter _those_ in the message id and index fields, then proceed to set up your rules. Graylog2 will use the loaded message as an example to match the new rules again. Most likely your rules can consist of a single regex match on the field message, or, which is a little bit more performant, individual fields if you have extracted the values. I would go with the regex match first to get everything working. In your case those regexes should be fast since it's all just fixed strings. Best, Kay On Fri, Jul 11, 2014 at 9:36 PM, Bjørn Jensen <[email protected]> wrote: > Yes sir, that's exactly what I mean. Thank you very much for the reply. > Once I do one of those correctly I should easily be able to figure out the > rest. I feel like there is an easy way to do this and I must be missing > SOMETHING very basic. If you can point me in the right direction it would > be hugely appreciated. > > > On Thursday, July 10, 2014 11:50:25 AM UTC-4, lennart wrote: >> >> What do you mean with "I'd like to parse "Lab_Syslog" "Test Device" >> and "Offline" to be able to send an alert"? Do you want to send an >> alert every time a message that includes these three terms appears? >> >> On Thu, Jul 10, 2014 at 3:17 AM, Bjørn Jensen <[email protected]> wrote: >> > Hello all, >> > I've tried searching for somebody with a similar issue but have yet to >> > find >> > it. Let me explain what I'm trying to do and then explain where I'm >> > getting >> > stuck and maybe somebody can help. >> > >> > I'm trying to receive very specific syslog events from hundreds of >> > different >> > SonicWALL routers that have been set to monitor a network device's >> > up/down >> > status and send a Syslog event when an even occurs. An example input >> > event/stream I receive on Graylog2 is: >> > id=Lab_Syslog sn=0017C567CA30 time="2014-07-09 19:41:39" >> > fw=73.179.217.255 >> > pri=1 c=0 m=706 msg="Network Monitor: Host 192.168.12.250 >> > (Policy:TestDevice) is offline" sess=None n=4 >> > >> > Using the above as the example, I'd like to parse "Lab_Syslog" "Test >> > Device" >> > and "Offline" to be able to send an alert to a specific email address, >> > or >> > group of email addresses, to alert them of the outage. I managed to do >> > this >> > on Splunk but would rather do it here. I've tested and my email >> > settings >> > are working. I'm getting stuck even setting up a basic rule. >> > >> > When I enter the message ID "Lab_Syslog" and the index "graylog2_0" and >> > click "Load Message" I receive an error stating: " Error Could not load >> > message. Make sure that ID and index are correct." I figured that once >> > I >> > got past that point I'd be able to see if I could somehow parse the >> > information and create the alert I needed above. >> > >> > So, that being said I have two questions: >> > >> > 1.] Is what I'm trying to do even possible? >> > 2.] If so, why am I unable to even create a rule? >> > >> > It's quite possible that I just flat out don't know what I'm doing, I >> > accept >> > that. Any help would be kindly appreciated. Thank you! >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
