Hi guys, I cant figure out why my drool squid does not work. I have the following entry in graylog:
And this is my rule.drl *[root@localhost server]# cat rules.drl* *import java.util.regex.Matcher* *import java.util.regex.Pattern* *import java.net.InetAddress;* */** *Raw Syslog: squid[2099]: 1339551529.881 55647 1.2.3.4 TCP_MISS/200 22 GET http://www.google.com/* *squid\[\d+\]: (\d+\.\d+) *(\d+) *(\d+.\d+.\d+.\d+) *(\w+\/\w+) (\d+) (\w+) (.*)* *matched: 13:1339551529.881* *matched: 29:55647* *matched: 35:1.2.3.4* *matched: 47:TCP_MISS/200* *matched: 60:22* *matched: 64:GET* *matched: 68:http://www.google.com/* **/* *rule "Squid Logging to GELF"* * when* * m : Message( getField("facility") == "user-level" )* * then* * Matcher matcher = Pattern.compile("squid\\[\\d+\\]: (\\d+.\\d+) *(\\d+) *(\\d+.\\d+.\\d+.\\d+) *(\\w+\\/\\w+) (\\d+) (\\w+) (.*)").matcher(m.getMessage());* * if (matcher.find()) {* * m.addField("facility", "squid");* * InetAddress addr = InetAddress.getByName(matcher.group(3));* * String host = addr.getHostName();* * m.addField("source",host);* * m.addField("message",matcher.group(6) + " " + matcher.group(7));* * m.addField("_status",matcher.group(4));* * m.addField("_size",matcher.group(5));* * }* *end* but the status fields and size are not shown: I do not know if I did not understand how drools should work or if I'm wrong setting. anyway I wish I could separate the squid log fields to generate reports for sites / users / ips etc. Daniel William Reif, -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6590f850-5ffb-485b-ac89-8cd3e5293c78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
