I've setup Snort integration with Graylog via https://www.graylog.org/blog/64-visualize-and-correlate-ids-alerts-with-open-source-tools. It's working quite well. now that I have a place to store remote logs I thought I'd try and add those to Graylog too. I have syslog-ng listening on my Graylog server and messages are rolling in from my remote servers. I've created a stream, pipeline and stage to extract fields based on a regex for a portion of the logs which deal with an IDS appliance. When I click on the "Streams" menu item at the top of the Graylog UI, I can select my IDS log stream and view the messages it's extracted. It seems to be working correctly, except I don't see any of the fields I've set in my Pipeline rule. It appears to be using the fields from the Snort integration example (scr_addr, src_port, snort_alert, etc). What have I missed? Thanks.
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/32f520b9-3f62-4314-b11b-afcb2ee6a670%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
