I've setup Snort integration with Graylog via
https://www.graylog.org/blog/64-visualize-and-correlate-ids-alerts-with-open-source-tools.
It's working quite well. now that I have a place to store remote logs I
thought I'd try and add those to Graylog too. I have syslog-ng listening
on my Graylog server and messages are rolling in from my remote servers.
I've created a stream, pipeline and stage to extract fields based on a
regex for a portion of the logs which deal with an IDS appliance. When I
click on the "Streams" menu item at the top of the Graylog UI, I can select
my IDS log stream and view the messages it's extracted. It seems to be
working correctly, except I don't see any of the fields I've set in my
Pipeline rule. It appears to be using the fields from the Snort integration
example (scr_addr, src_port, snort_alert, etc). What have I missed? Thanks.