I've setup Snort integration with Graylog via https://www.graylog.org/blog/64-visualize-and-correlate-ids-alerts-with-open-source-tools. It's working quite well. now that I have a place to store remote logs I thought I'd try and add those to Graylog too. I have syslog-ng listening on my Graylog server and messages are rolling in from my remote servers. I've created a stream, pipeline and stage to extract fields based on a regex for a portion of the logs which deal with an IDS appliance. When I click on the "Streams" menu item at the top of the Graylog UI, I can select my IDS log stream and view the messages it's extracted. It seems to be working correctly, except I don't see any of the fields I've set in my Pipeline rule. It appears to be using the fields from the Snort integration example (scr_addr, src_port, snort_alert, etc). What have I missed? Thanks.
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/32f520b9-3f62-4314-b11b-afcb2ee6a670%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
