ckristo
I really love using Graylog (https://www.graylog.org/) for my hobby project, but writing complex pipeline rules for log parsing is somethings a pain
Home

Graylog is a leading centralized log management solution for capturing, storing, and enabling real-time analysis of terabytes of machine data.

Graylog
Jul 18, 2023 at 11:21pmWeb
Show threadckristoJul 18, 2023
Parsing sudo logs in CEE format results in the following rule:
Show threadckristoJul 18, 2023

My pain points so far:
* support for parsing JSON is basic
* language for rule writing is limited

My highlight while creating this rule:
* you cannot parse and select arbitrary JSON sub paths - I had to manually cut the string
* you cannot do arithmetic expressions, so I had to add two substring calls instead of one