Hi Joi, Thanks for your answer. I understand the "Only attempt extraction if field ..." option but the incoming messages have a great number of variables. So i was looking into how to get the src ip as a filter, but I was under the impression this can't be done since the src ip is not presented in the msg part of the syslog packet.
This is an example message from one of my devices. <182>ah_auth: [Auth]: receive driver notification[0x8, WLC_E_ASSOC_IND] for Sta[blank] at pd[blank] (I am not intersted in this particular message, but there are other messages from the same level that I would be interested to see) Is there anyway I can use the src ip as the filter for the extractor if it doesn't appear in the message? Op woensdag 6 april 2016 23:52:03 UTC+2 schreef Joi Owen: > > I have non-conformant devices, too. That hasn't stopped me, though. > > Could you be a little more specific about the nature of the problem you > need to solve? There are a variety of ways to solve such an issue. It > would help to know what platform you're using for the graylog server > itself, linux vs windows or something else, as that affects the possible > solutions. > > If your 'message' field contains a recognizable string from your naughty > devices, you can setup the extractor to fire only on messages that match > that string. > > Here's an example. Say I have this message from a naughty device, it > always contains the string 'kernel', and I want to extract the number in > brackets. (I could have matched against the IP address in this example as > well, which might be what you want to do...) > > The regular expression field is for the stuff you want to jam into a > custom field for later use. The 'field contains this string' is a second, > simpler match against the entire field 'message' content to let me control > how much of the incoming flood actually has to get checked with the primary > regular expression. > > So, in my example below, the text in red below the second field indicates > this test message would not have its number extracted because it's not from > the correct process. (I used 'kernel2' as the test, see?) > > Does this help answer your question? > > > [image: Inline image 1] > > On Wed, Apr 6, 2016 at 7:55 AM, Perry Smolenaars <p.smol...@gmail.com > <javascript:>> wrote: > >> I am testing Graylog and immediately the first device is not RFC >> compliant and I cannot adjust the UDP port. I also know the second >> device/vendor i need to add will have the same issue. >> Is there a way to apply an extractor to only specific sources or >> source-ip's ? Or am I forced to setup a second Greylog server just because >> I have 2 vendors that are non-compliant? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Graylog Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to graylog2+u...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/893c76bf-1fd4-4bc3-a1cb-8aee7fbe518a%40googlegroups.com >> >> <https://groups.google.com/d/msgid/graylog2/893c76bf-1fd4-4bc3-a1cb-8aee7fbe518a%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > No matter what we think of Linux versus FreeBSD, etc., the one thing I > really like about Linux is that it has Microsoft worried. Anything > that kicks a monopoly in the pants has got to be good for something. > - Chris Johnson > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2a6e8abf-f217-4c70-915c-6b390e165e35%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
