You rock! Thank you so much Kay!!! I really appreciate you taking the time to help a noob like me out.
On Friday, July 11, 2014 5:45:35 PM UTC-4, Kay Röpke wrote: > > Indeed! > > I did not notice this when first reading your mail: > Message ID is not the content of the field "id" in your example. > Rather, it is the unique uuid graylog2 assigns to each message. > The "load message" button needs that uuid. Do a search for a message > you are interested in. Then click on the message in the result table, > and copy the uuid that shows up in the sidebar on the right (you can > click the envelope icon to copy the message id to the clipboard). Take > note of the index name, too. > > Enter _those_ in the message id and index fields, then proceed to set > up your rules. Graylog2 will use the loaded message as an example to > match the new rules again. > Most likely your rules can consist of a single regex match on the > field message, or, which is a little bit more performant, individual > fields if you have extracted the values. > I would go with the regex match first to get everything working. In > your case those regexes should be fast since it's all just fixed > strings. > > Best, > Kay > > On Fri, Jul 11, 2014 at 9:36 PM, Bjørn Jensen <[email protected] > <javascript:>> wrote: > > Yes sir, that's exactly what I mean. Thank you very much for the reply. > > Once I do one of those correctly I should easily be able to figure out > the > > rest. I feel like there is an easy way to do this and I must be missing > > SOMETHING very basic. If you can point me in the right direction it > would > > be hugely appreciated. > > > > > > On Thursday, July 10, 2014 11:50:25 AM UTC-4, lennart wrote: > >> > >> What do you mean with "I'd like to parse "Lab_Syslog" "Test Device" > >> and "Offline" to be able to send an alert"? Do you want to send an > >> alert every time a message that includes these three terms appears? > >> > >> On Thu, Jul 10, 2014 at 3:17 AM, Bjørn Jensen <[email protected]> > wrote: > >> > Hello all, > >> > I've tried searching for somebody with a similar issue but have yet > to > >> > find > >> > it. Let me explain what I'm trying to do and then explain where I'm > >> > getting > >> > stuck and maybe somebody can help. > >> > > >> > I'm trying to receive very specific syslog events from hundreds of > >> > different > >> > SonicWALL routers that have been set to monitor a network device's > >> > up/down > >> > status and send a Syslog event when an even occurs. An example input > >> > event/stream I receive on Graylog2 is: > >> > id=Lab_Syslog sn=0017C567CA30 time="2014-07-09 19:41:39" > >> > fw=73.179.217.255 > >> > pri=1 c=0 m=706 msg="Network Monitor: Host 192.168.12.250 > >> > (Policy:TestDevice) is offline" sess=None n=4 > >> > > >> > Using the above as the example, I'd like to parse "Lab_Syslog" "Test > >> > Device" > >> > and "Offline" to be able to send an alert to a specific email > address, > >> > or > >> > group of email addresses, to alert them of the outage. I managed to > do > >> > this > >> > on Splunk but would rather do it here. I've tested and my email > >> > settings > >> > are working. I'm getting stuck even setting up a basic rule. > >> > > >> > When I enter the message ID "Lab_Syslog" and the index "graylog2_0" > and > >> > click "Load Message" I receive an error stating: " Error Could not > load > >> > message. Make sure that ID and index are correct." I figured that > once > >> > I > >> > got past that point I'd be able to see if I could somehow parse the > >> > information and create the alert I needed above. > >> > > >> > So, that being said I have two questions: > >> > > >> > 1.] Is what I'm trying to do even possible? > >> > 2.] If so, why am I unable to even create a rule? > >> > > >> > It's quite possible that I just flat out don't know what I'm doing, I > >> > accept > >> > that. Any help would be kindly appreciated. Thank you! > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
