Hej Joshua, i would change the output from syslog to gelf in your nxlog configuration - then you need to create a gelf input on graylog. This should solve some of your Problems and the Fields will be separated.
Von: Joshua Walderbach <[email protected]> <[email protected]> Antworten: [email protected] <[email protected]> <[email protected]> Datum: 26. Juli 2016 at 23:30:53 An: Graylog Users <[email protected]> <[email protected]> Betreff: [graylog2] Incoming logs incorrectly formatted I have a Log directory at C:\Logs and in that directory are say 5 different logs, per day, by application. ex. app1-07262016.log, app2-07262016.log, etc... I want to watch these logs and send them over to Graylog. I have nxlog installed on the Windows server along with sidecar. I've setup a Syslog/UDP input and it's collecting info from these logs. However the formatting isn't allowing for accurate searching. For example, everything is in the message: <https://lh3.googleusercontent.com/-UeoiAwYZPag/V5fTiXMERzI/AAAAAAAAAQg/1KiAdI4zhIs_8EsUjyq4e1fKWus4vr20wCLcB/s1600/Screenshot%2Bfrom%2B2016-07-26%2B15-17-07.png> In this example I'm unable to search for instances where the "level" = something. This one shows Debug but I'd want to eventually setup alerts for "level=Fatal". I assume that this is a result of how I've setup the nxlog.conf or created the input. The raw logs, as they are now, are pumped into Splunk and I can easily search for host=something level=Fatal and create an alert on that query. nxlog.conf which I cobbled together from various online sources: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File 'c:\\Logs\\*.log' SavePos TRUE ReadFromLast TRUE Recursive TRUE PollInterval 1 </Input> <Output out> Module om_udp Host XXX.XXX.XXX.XXX Port 5555 Exec to_syslog_bsd(); </Output> <Route> Path ivx => out </Route> Any tips or ideas? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f0acb92f-3175-42a9-973e-bfd1685e0faf%40googlegroups.com <https://groups.google.com/d/msgid/graylog2/f0acb92f-3175-42a9-973e-bfd1685e0faf%40googlegroups.com?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAGm-bLZJoPzGx-b6LmuPg046ZRG3snejbXw-4Y11e%3D0Ex3e%2BGw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
