The Sophos UTM remote syslog capabilities use a non-standard message format. Importing them into Graylog requires the use of a "Raw/plain text" input (either TCP or UDP will be fine) together with a extractors parsing the lines into the standard syslog fields.
The extractors in this repository will do the following:
- Extract the fields
facility,level,source,application_nameandprocess_id(only if present in the line; e.g. it won't be with kernel messages) and - modify the
messagefield not to contain the fields extracted in step 1.
As the change in step 2 is destructive, the extractor named Syslog field "message" must be the last extractor in the list.
- In Graylog, create an input of type
Raw/Plaintext (TCP)orRaw/Plaintext (UDP). - After creating the input, click on the corresponding
Manage extractorsbutton. - In the upper right click on
Actionsand selectImport extractors. - Copy & paste the extractors from the
extractors.jsonfile in this repository. - Optionally use the
Sort extractorsbutton after importing them. Like stated above, make sure theSyslog field "message"extractor is the last one run.
User habibmbacfou
provides extractors for various other fields in the message
parts. Their extractors can be used with my extractors at the same
time.
I appreciate bug reports or merge requests. You can also contact me at m.bunkus@linet-services.de