Hi there I have an incoming syslog stream that amongst working data also contains borked syslog records from Snare - which is a Windows EventLog to syslog service
The problem is the application_id ends up as "MSWinEventLog<tab>0<tab>Security" and message: begins with Sun Jul 26 03:36:53 2015 4769 Microsoft-Windows-Security-Auditing hostname blah blah ie application_id should be "Microsoft-Windows-Security-Auditing" and message should begin with "blah" (ie the extra timestamp/etc should be thrown away). I have a tonne of these servers - which I don't control - so want to fix up this data as it enters into graylog. The "extractor" option looks like it doesn't allow you to rewrite some fields - such as message - so is there some other way of me achieving my goal? Thanks -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
