responses
I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log.
This is the desired output:
Message 1 should contain:
Username : <Username1> Index : <Index>
Assigned IP : <IP1> Public IP : <IP2>
Group Policy : <GroupPolicy>
Login Time : 15:15:34 UTC Fri Nov 1 2019
Message 2 should contain:
Username : <Username2> Index : <Index>
Assigned IP : <IP1> Public IP : <IP2>
Group Policy : <GroupPolicy>
Login Time : 15:16:12 UTC Fri Nov 1 2019
Instead, this is what happens:
Message 1: Username
Message 2: Index
Message 3: Assigned IP
Message 4: Public IP
So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!
Comments (3)
Could you please paste some input examples?
These are what the current log entries look like.
2019-11-04 17:33:13.000 <servername>
Username : <username> Index : <index>
2019-11-04 17:33:13.000 <servername>
Assigned IP : <assigned IP> Public IP : <public IP>
2019-11-04 17:33:13.000 <servername>
Username : <username> Index : <index>
2019-11-04 17:33:13.000 <servername>
Group Policy : <group policy> Tunnel Group : <tunnel group>
2019-11-04 17:33:13.000 <servername>
Login Time : <login time>
2019-11-04 17:33:13.000 <servername>
Assigned IP : <assigned IP> Public IP : <public IP>
2019-11-04 17:33:13.000 <servername>
Group Policy : <group policy> Tunnel Group : <tunnel group>
2019-11-04 17:33:13.000 <servername>
Login Time : <login time>
2019-11-04 17:33:13.000 <servername>
Username : <username> Index : <index>
2019-11-04 17:33:13.000 <servername>
Assigned IP : <assigned IP> Public IP : <public IP>
2019-11-04 17:33:13.000 <servername>
Group Policy : <group policy> Tunnel Group : <tunnel group>
2019-11-04 17:33:13.000 <servername>
Login Time : <login time>
What they should look like is:
2019-11-04 17:33:13.000 <servername>
Username : <username> Index : <index>
Assigned IP : <assigned IP> Public IP : <public IP>
Group Policy : <group policy> Tunnel Group : <tunnel group>
Login Time : <login time>
2019-11-04 17:33:13.000 <servername>
Username : <username> Index : <index>
Assigned IP : <assigned IP> Public IP : <public IP>
Group Policy : <group policy> Tunnel Group : <tunnel group>
Login Time : <login time>
is the timestamp the start of the message? or is username the start of the message?
it looks like you need to use xm_multiline and set your header to either /^\d+-\d+-\d+/ (date) or /^Username/ (username)