Hi, Lennart Koopmann build an extractor set for the Cisco Catalyst. It works fine until the syslog message contains more than one colon :
The regular expression that is used for the message part is %.+-\d+-.+: (.*)$ For example the message part, "709149: 710638: Aug 3 02:45:23.205 CET: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 10.170.6.81 (GigabitEthernet2/8/48) is down: interface down" should become "EIGRP-IPv4 200: Neighbor 10.170.6.81 (GigabitEthernet2/8/48) is down: interface down" but instead became "interface down". A whole part of the message is missing. I have a couple of questions about this, 1) I am not very good with regular expression so what is the correct regular expression we should use here, so that we always get the correct message after the mnemonic part. 2) How can I change the regular expression without deleting the existing message extractor? 3) in the extractor set the full_message part isn't available anymore what should be added to the extractor set to get this back? BJ -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
