I’m running nxlog on an Ubuntu 14.04 system which is parsing the log from an Atlassian Confluence instance. Nxlog is then sending the data to a Graylog2 server via GELF UDP.
The log messages are often multiline. I’m catching the messages properly, but
I’m having issues in getting the parsed bits of data out to Graylog in the
right format. Specifically, I want to explicitly set the value of some of the
fields that are sent to Graylog. For example, there is a field which is
displayed in Graylog as “level”. In nxlog.conf, I have statements in an exec
clause which goes like this:
<Input confluence>
Module im_file
File
"/opt/atlassian/application-data/confluence/logs/atlassian-confluence.log"
InputType multiline
SavePos false
ReadFromLast false
Exec if $raw_event =~ /^(\d{4}\-\d{2}\-\d{2}
\d{2}\:\d{2}\:\d{2}),\d{3} (\S+) \[(.+?)\] \[(.+?)\] (.+?) (.+)/s \
{ \
$EventTime = parsedate($1); \
$SyslogSeverity = $2; \
$Severity = $2; \
$Level = $2; \
$level = $2; \
$Thread = $3; \
$Class = $4; \
$Operation = $5; \
$Message = $6; \
}
</Input>
In Graylog, when I look at a parsed message, I can see “Level” and “Severity”
fields set properly, but “level” is always “Info [6]”. Is there a map if those
field names and how to set them explicitly?
Thanks!
-Pete
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
