Hi all,
I'm currently trying to port the following Logstash patterns for Postfix to
Graylog2 (1.1.6):
https://github.com/whyscream/postfix-grok-patterns
The patterns themselves imported with no issues after I had the default
patterns from Logstash.
Now I'm trying to create the equivalent of the following:
filter {
# grok log lines by program name (listed alpabetically)
if [program] =~ /^postfix.*\/anvil$/ {
grok {
patterns_dir => "/etc/logstash/patterns.d"
match => [ "message", "%{POSTFIX_ANVIL}" ]
tag_on_failure => [ "_grok_postfix_anvil_nomatch" ]
add_tag => [ "_grok_postfix_success" ]
}
}
}
1. How can I configure Graylog to keep the sub-application name ("anvil"
in this case, with postfix being application_name). I am sending all my
logs via rsyslog with the template GRAYLOGRFC5424 from the documentation.
2. Is it possible to only run an extractor if a condition is met on a
different field? For example when creating an extractor against `message`,
can we check to see if the `application_name` matches "postfix" ?
3. I know we can discard unwanted fields for nested patterns with "
UNWANTED", but it would be convienient for porting existing patterns if
the web interface allowed the user to select which fields they would like
during extrcator creation. Are they any plans for this?
Cheers,
Boden
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/1c66e60d-6ca6-4b0b-8f0c-0fa8622628e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
