What are the different Logtemplates I have to use?

Setting up my Graylog instance I'm quite confused what the different Templates are I got to use.

On Debian 10 I added /etc/rsyslog.d/graylog.conf with following value:

*.* @graylog.i.abc.de:13526;RSYSLOG_SyslogProtocol23Format

and everything is getting awesome parsed whats in /var/log. Now seeing Serviio uses a different LOG pattern:

2022-04-06T15:44:57,701 INFO  [PlaylistMaintainerWorker] Started looking for playlist changes

And Plex aswell:

Apr 01, 2022 22:33:31.142 [0x7fb0bcb3bb38] INFO - Plex DLNA Server v1.25.8.5663-e071c3d62 - Debian GNU/Linux PC x86_64 - build: linux-x86_64 - GMT 02:00

I'm scratching my head and can't find anything relevant in Google. What I found out is that you can write your own rsyslogd Templates. But I'm quite sure that the Formats that I shown you are "standarized", aren't they? If so, can someone give me a hint how they're called and where I'm able to find a list of them?

1 answer

  • answered 2022-04-06 20:14 Zack King

    As far as doing this using rsyslogd templates, I can't help much. However if those formats you mentioned are indeed standardized, you can handle their parsing within Graylog using Grok patterns.

    In Graylog > System > Grok Patterns > Create Pattern. The Serviio is fairly simple:

    %{TIMESTAMP_ISO8601:date} %{DATA:level} \[%{DATA:component}\] %{GREEDYDATA:message}
    

    The Plex may be slightly more complex. I made a PLEXDATE pattern first:

    %{MONTH:month} %{NUMBER:day}, %{YEAR:year} %{TIME}
    

    and then a PLEXCOMMON pattern:

    %{PLEXDATE:date} \[%{DATA:componentId}\] %{DATA:level}- %{DATA:serverVersion} - %{DATA:os} - build: %{DATA:build} - %{GREEDYDATA:timezone}
    

    I'm absolutely not a Grok master, but you can play with those, improve them, and rename the fields how you want. Once you've created your Grok patterns you can create a pipeline rule(s) that can be used to parse the incoming log files in Graylog.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum