Hi Daniel, maybe using a normal Grok extractor would be sufficient for your needs, e. g. https://gist.github.com/MiteshShah/6879e09b6999d5c8e77c.
Regarding your Drools rules file, please check the logs of your Graylog node for errors. Cheers, Jochen On Tuesday, 9 August 2016 18:31:44 UTC+2, Daniel Reif wrote: > > Hi guys, > > I cant figure out why my drool squid does not work. > I have the following entry in graylog: > > > > > > > > > > > > > And this is my rule.drl > > *[root@localhost server]# cat rules.drl* > *import java.util.regex.Matcher* > *import java.util.regex.Pattern* > *import java.net.InetAddress;* > > */** > *Raw Syslog: squid[2099]: 1339551529.881 55647 1.2.3.4 TCP_MISS/200 22 > GET http://www.google.com/ <http://www.google.com/>* > > *squid\[\d+\]: (\d+\.\d+) *(\d+) *(\d+.\d+.\d+.\d+) *(\w+\/\w+) (\d+) > (\w+) (.*)* > *matched: 13:1339551529.881* > *matched: 29:55647* > *matched: 35:1.2.3.4* > *matched: 47:TCP_MISS/200* > *matched: 60:22* > *matched: 64:GET* > *matched: 68:http://www.google.com/ <http://www.google.com/>* > **/* > > *rule "Squid Logging to GELF"* > * when* > * m : Message( getField("facility") == "user-level" )* > * then* > * Matcher matcher = Pattern.compile("squid\\[\\d+\\]: (\\d+.\\d+) > *(\\d+) *(\\d+.\\d+.\\d+.\\d+) *(\\w+\\/\\w+) (\\d+) (\\w+) > (.*)").matcher(m.getMessage());* > > * if (matcher.find()) {* > * m.addField("facility", "squid");* > * InetAddress addr = InetAddress.getByName(matcher.group(3));* > * String host = addr.getHostName();* > * m.addField("source",host);* > * m.addField("message",matcher.group(6) + " " + > matcher.group(7));* > * m.addField("_status",matcher.group(4));* > * m.addField("_size",matcher.group(5));* > * }* > *end* > > but the status fields and size are not shown: > > > > I do not know if I did not understand how drools should work or if I'm wrong > setting. > anyway I wish I could separate the squid log fields to generate reports for > sites / users / ips etc. > > Daniel William Reif, > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/43d9a560-f39a-4e93-916f-074acd0fd2b0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
