3
responses

I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log.

This is the desired output:

Message 1 should contain:
Username : <Username1> Index : <Index>
Assigned IP : <IP1> Public IP : <IP2>
Group Policy : <GroupPolicy>
Login Time : 15:15:34 UTC Fri Nov 1 2019

Message 2 should contain:
Username : <Username2> Index : <Index>
Assigned IP : <IP1> Public IP : <IP2>
Group Policy : <GroupPolicy>
Login Time : 15:16:12 UTC Fri Nov 1 2019

Instead, this is what happens:

Message 1: Username
Message 2: Index
Message 3: Assigned IP
Message 4: Public IP

So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!

AskedNovember 2, 2019 - 1:05am

Comments (3)

  • ajtjavier's picture

    These are what the current log entries look like.

    2019-11-04 17:33:13.000 <servername>
    Username : <username> Index : <index>

    2019-11-04 17:33:13.000 <servername>
    Assigned IP : <assigned IP> Public IP : <public IP>

    2019-11-04 17:33:13.000 <servername>
    Username : <username> Index : <index>

    2019-11-04 17:33:13.000 <servername>
    Group Policy : <group policy> Tunnel Group : <tunnel group>

    2019-11-04 17:33:13.000 <servername>
    Login Time : <login time>

    2019-11-04 17:33:13.000 <servername>
    Assigned IP : <assigned IP> Public IP : <public IP>

    2019-11-04 17:33:13.000 <servername>
    Group Policy : <group policy> Tunnel Group : <tunnel group>

    2019-11-04 17:33:13.000 <servername>
    Login Time : <login time>

    2019-11-04 17:33:13.000 <servername>
    Username : <username> Index : <index>

    2019-11-04 17:33:13.000 <servername>
    Assigned IP : <assigned IP> Public IP : <public IP>

    2019-11-04 17:33:13.000 <servername>
    Group Policy : <group policy> Tunnel Group : <tunnel group>

    2019-11-04 17:33:13.000 <servername>
    Login Time : <login time>

    What they should look like is:

    2019-11-04 17:33:13.000 <servername>
    Username : <username> Index : <index>
    Assigned IP : <assigned IP> Public IP : <public IP>
    Group Policy : <group policy> Tunnel Group : <tunnel group>
    Login Time : <login time>

    2019-11-04 17:33:13.000 <servername>
    Username : <username> Index : <index>
    Assigned IP : <assigned IP> Public IP : <public IP>
    Group Policy : <group policy> Tunnel Group : <tunnel group>
    Login Time : <login time>

  • dlang's picture

    is the timestamp the start of the message? or is username the start of the message?

    it looks like you need to use xm_multiline and set your header to either /^\d+-\d+-\d+/ (date) or /^Username/ (username)

Answers (0)