Setting up my Graylog instance I'm quite confused what the different Templates are I got to use.
On Debian 10 I added /etc/rsyslog.d/graylog.conf
with following value:
*.* @graylog.i.abc.de:13526;RSYSLOG_SyslogProtocol23Format
and everything is getting awesome parsed whats in /var/log. Now seeing Serviio uses a different LOG pattern:
2022-04-06T15:44:57,701 INFO [PlaylistMaintainerWorker] Started looking for playlist changes
And Plex aswell:
Apr 01, 2022 22:33:31.142 [0x7fb0bcb3bb38] INFO - Plex DLNA Server v1.25.8.5663-e071c3d62 - Debian GNU/Linux PC x86_64 - build: linux-x86_64 - GMT 02:00
I'm scratching my head and can't find anything relevant in Google. What I found out is that you can write your own rsyslogd Templates. But I'm quite sure that the Formats that I shown you are "standarized", aren't they? If so, can someone give me a hint how they're called and where I'm able to find a list of them?
As far as doing this using rsyslogd templates, I can't help much. However if those formats you mentioned are indeed standardized, you can handle their parsing within Graylog using Grok patterns.
In Graylog > System > Grok Patterns > Create Pattern. The Serviio is fairly simple:
%{TIMESTAMP_ISO8601:date} %{DATA:level} \[%{DATA:component}\] %{GREEDYDATA:message}
The Plex may be slightly more complex. I made a PLEXDATE pattern first:
%{MONTH:month} %{NUMBER:day}, %{YEAR:year} %{TIME}
and then a PLEXCOMMON pattern:
%{PLEXDATE:date} \[%{DATA:componentId}\] %{DATA:level}- %{DATA:serverVersion} - %{DATA:os} - build: %{DATA:build} - %{GREEDYDATA:timezone}
I'm absolutely not a Grok master, but you can play with those, improve them, and rename the fields how you want. Once you've created your Grok patterns you can create a pipeline rule(s) that can be used to parse the incoming log files in Graylog.