[graylog2] Windows RAW/Plintext input, parsing/extractor Question

Discussion:

darknetone

2017-01-17 17:15:51 UTC

We have a bunch of windows machines running Splunk Universal Forwarders
(don't ask why just know that this is how it is happening), and are
presently sending their output info Graylog 2, as Raw/PlainText, my only
option in this case, unless you know of a better way while still using the
Splunk Universal Forwarders. So my question is how to parse/build an
extractor, any advice as I want to be able to deal with my data as I would
if it cam in via a non RAW format.

Thanks in advance for Any Wisdom.

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9f493838-2605-4ed2-86dc-fa5db7f62bf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jochen Schalanda

2017-01-18 10:29:22 UTC

Permalink

Hi,

what format do the Splunk Universal Forwarders use? Is it text-based or is
it a binary format?

If it's text based, you can simply use extractors
<http://docs.graylog.org/en/2.1/pages/extractors.html> or the message processing
pipelines <http://docs.graylog.org/en/2.1/pages/pipelines.html> to parse
the messages from a Raw/Plaintext input.

Cheers,
Jochen

Post by darknetone
We have a bunch of windows machines running Splunk Universal Forwarders
(don't ask why just know that this is how it is happening), and are
presently sending their output info Graylog 2, as Raw/PlainText, my only
option in this case, unless you know of a better way while still using the
Splunk Universal Forwarders. So my question is how to parse/build an
extractor, any advice as I want to be able to deal with my data as I would
if it cam in via a non RAW format.
Thanks in advance for Any Wisdom.

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/65d9c858-9de8-4f02-88af-4383b6620ccd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

darknetone

2017-01-19 14:31:00 UTC

Permalink

I have them set to not cook the data so I get raw text out, my question is
this, Has anyone built an extractor or parser to deal with Windows output
as raw/plaintext? And I ask this because here are plenty non-RAW data
options, however I nee to use the Splunk UF which means I am stuck with RAW
data as an input for Graylog. I was hoping to find a pre-built extractor
for Windows data.I hope this clears up my question.

Post by Jochen Schalanda
Hi,
what format do the Splunk Universal Forwarders use? Is it text-based or is
it a binary format?
If it's text based, you can simply use extractors
<http://docs.graylog.org/en/2.1/pages/extractors.html> or the message processing
pipelines <http://docs.graylog.org/en/2.1/pages/pipelines.html> to parse
the messages from a Raw/Plaintext input.
Cheers,
Jochen

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/aee51c90-dd2d-4f31-868d-5f370d3c264a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.