logginggraylog

What are the different Logtemplates I have to use?


Setting up my Graylog instance I'm quite confused what the different Templates are I got to use.

On Debian 10 I added /etc/rsyslog.d/graylog.conf with following value:

*.* @graylog.i.abc.de:13526;RSYSLOG_SyslogProtocol23Format

and everything is getting awesome parsed whats in /var/log. Now seeing Serviio uses a different LOG pattern:

2022-04-06T15:44:57,701 INFO  [PlaylistMaintainerWorker] Started looking for playlist changes

And Plex aswell:

Apr 01, 2022 22:33:31.142 [0x7fb0bcb3bb38] INFO - Plex DLNA Server v1.25.8.5663-e071c3d62 - Debian GNU/Linux PC x86_64 - build: linux-x86_64 - GMT 02:00

I'm scratching my head and can't find anything relevant in Google. What I found out is that you can write your own rsyslogd Templates. But I'm quite sure that the Formats that I shown you are "standarized", aren't they? If so, can someone give me a hint how they're called and where I'm able to find a list of them?


Solution

  • As far as doing this using rsyslogd templates, I can't help much. However if those formats you mentioned are indeed standardized, you can handle their parsing within Graylog using Grok patterns.

    In Graylog > System > Grok Patterns > Create Pattern. The Serviio is fairly simple:

    %{TIMESTAMP_ISO8601:date} %{DATA:level} \[%{DATA:component}\] %{GREEDYDATA:message}
    

    The Plex may be slightly more complex. I made a PLEXDATE pattern first:

    %{MONTH:month} %{NUMBER:day}, %{YEAR:year} %{TIME}
    

    and then a PLEXCOMMON pattern:

    %{PLEXDATE:date} \[%{DATA:componentId}\] %{DATA:level}- %{DATA:serverVersion} - %{DATA:os} - build: %{DATA:build} - %{GREEDYDATA:timezone}
    

    I'm absolutely not a Grok master, but you can play with those, improve them, and rename the fields how you want. Once you've created your Grok patterns you can create a pipeline rule(s) that can be used to parse the incoming log files in Graylog.