Hi, I'd recommend using different inputs for each type of device/service you have in your ecosystem.
Using the new processing pipelines in Graylog 2.x (see http://docs.graylog.org/en/2.0/pages/pipelines.html for details), you could also use 1 input and run different rules for each source device/service. Cheers, Jochen On Tuesday, 21 June 2016 10:44:45 UTC+2, Андрей Грошев wrote: > > Hello people! > I newbie in graylog and I want understand how right parse syslog messages > from many services. > Let's say I have three services. Each from one use different message > format. > For example: > service1: "service1: srcip dstip" > service2: "service2: dstip bytes clientid" > service3: "service3: srcip userid bytes etc" > Those, on the first field I can define the type of service, but further > each service has different fields. > How to handle it properly? > Build separete "inputs" on different ports and extractors or one input and > one difficult grok pattern? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/3c4b8bb4-18f4-4911-a1d8-e4acfb31ff1a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
