You could use the key=value copy extractor (http://docs.graylog.org/en/2.0/pages/extractors.html#automatically-extract-all-key-value-pairs)
That gets all the data into fields. Then after that, it depends what you want to achieve. On Monday, 22 August 2016 13:10:42 UTC+1, Aleksey Chudov wrote: > > Hi, > > I've searched Google and Graylog Marketplace for a plugin to parse Linux > audit log messages with no success. > > Some details about audit logs > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html > > Actually, audit event consists of three records, which share the same time > stamp and serial number. Each record consists of several name=value pairs > separated by a white space or a comma. > > What is the best way to parse audit log messages? I'm thinking of writing > custom Graylog plugin. > > Regards, > Aleksey > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/73087615-744a-448c-9fe1-4e97c33e255d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
