Hi Keamas, the search query languages of Splunk and Graylog ( http://docs.graylog.org/en/2.0/pages/queries.html#search-query-language) aren't similar at all. You'll probably have to rewrite all of your queries.
Regarding the extraction of structured information from the syslog messages, you'll have to write extractors ( http://docs.graylog.org/en/2.0/pages/extractors.html) or use a processing pipeline (http://docs.graylog.org/en/2.0/pages/pipelines.html) for your devices. Maybe you're lucky and someone already did the hard work and put it on the Graylog Marketplace: https://marketplace.graylog.org/ Cheers, Jochen On Monday, 27 June 2016 15:04:14 UTC+2, Keamas M wrote: > > Hello, > I am new to graylog. I used Splunk before but I reached the space limit of > splunk. Thats why I installed Graylog. > I want to log firewall Logs and create reports and graphs out of this Logs. > > - how similar is the Search syntax between Splunk and Graylog? Is it > complicated to migrate this? > > > > - But the main issue at the moment is that the syslog messages which I > get are different if you compare graylog and Splunk > > > Splunk Syslog message: > > <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW > Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|srcPort= > 52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|dstService > =|dstIF=port7.910|rule=|info=Normal Operation|srcNAT=80.120.132.156|dstNAT > =194.232.154.127|duration=0|count=1|receivedBytes=0|sentBytes=0| > receivedPackets=0|sentPackets=0|user=n600771|protocol=HTTP direct| > application=Web browsing|target=steiermark.orf.at|content=|urlcat=Search > Engines/Portals > > > Graylog Syslog message: > > message > NG_Firewall[]: 1467031812 1 10.244.120.142 194.232.112.146 image/png > 10.244.120.142 > http://steiermark.orf.at/mojo/1_3/storyserver/oeka/images/arrow.right.png > 1020 BYF ALLOWED CLEAN 2 1 0 0 0 (-) 0 Search-Engines/Portals 0 - 0 steie > rmark.orf.at Search-Engines/Portals [00user] steiermark.orf.at - - 0 > > How can I receive or display the Syslogs in the same format like in Splunk.I > installed on my Splunk installation this App: > https://splunkbase.splunk.com/app/2634/ > The Syslog Logs have mor informations like SrcNAT, dstNAT and so on. Also > a name like target= or urlcat=....How can I change this settings ? On > Splunk there was no additional configuration needed. > > > > > > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c0ca5b02-bd35-48d5-a53f-3a7b31a31f6e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
