Graylog Cisco ASA Syslog ID Extractor

I recently did an in-place upgrade on the Graylog appliance and unfortunately it created a new "appliance-syslog-udp (Syslog UDP)" input that took priority over my custom syslog input already running on UDP 514. This caused the extractor configured on the original input to no longer be active.

I was able to easily export the extractor from old input and then import it to the new input using the web interface. Here is the JSON data in case anyone else out there is interested in extracting syslog IDs from a Cisco ASA. This will allow your to search your data using ASASyslogID.

Graylog Cisco ASA Syslog ID Extractor

  "extractors": [
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%ASA-\\w-(.{0,6})"
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "ASASyslogID",
      "title": "ASA Syslog ID"
  "version": "1.3.0 (04201bb)"

No comments:

Post a Comment