I have non-conformant devices, too. That hasn't stopped me, though. Could you be a little more specific about the nature of the problem you need to solve? There are a variety of ways to solve such an issue. It would help to know what platform you're using for the graylog server itself, linux vs windows or something else, as that affects the possible solutions.
If your 'message' field contains a recognizable string from your naughty devices, you can setup the extractor to fire only on messages that match that string. Here's an example. Say I have this message from a naughty device, it always contains the string 'kernel', and I want to extract the number in brackets. (I could have matched against the IP address in this example as well, which might be what you want to do...) The regular expression field is for the stuff you want to jam into a custom field for later use. The 'field contains this string' is a second, simpler match against the entire field 'message' content to let me control how much of the incoming flood actually has to get checked with the primary regular expression. So, in my example below, the text in red below the second field indicates this test message would not have its number extracted because it's not from the correct process. (I used 'kernel2' as the test, see?) Does this help answer your question? [image: Inline image 1] On Wed, Apr 6, 2016 at 7:55 AM, Perry Smolenaars <[email protected]> wrote: > I am testing Graylog and immediately the first device is not RFC compliant > and I cannot adjust the UDP port. I also know the second device/vendor i > need to add will have the same issue. > Is there a way to apply an extractor to only specific sources or > source-ip's ? Or am I forced to setup a second Greylog server just because > I have 2 vendors that are non-compliant? > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/893c76bf-1fd4-4bc3-a1cb-8aee7fbe518a%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/893c76bf-1fd4-4bc3-a1cb-8aee7fbe518a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGXQpGiPcbV_BAE1FFOYwed2FzPhT7R6e7At-hU2kKz%2BHQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
