Security

Reply
Occasional Contributor II

How to save a syslog message to a field.

Hi,

how to save syslog message to field in ingress event engine.

I don't know how to save the message, I tried various variants like:
in mutate { add_field = & gt; ['Event: Message', 'message'] } and other even more bizarre :)

MVP Expert

Re: How to save a syslog message to a field.

I don't know if you modified the alias for the message field but try with these options:

add_field = & gt; ['Event:Message', '@message']

add_field = & gt; ['Event:Message', '%{message}']

Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711
Occasional Contributor II

Re: How to save a syslog message to a field.

when I use

add_field = > ['Event:Message', '@message']

then in the acces tracker I see:

Event:Message	|     @message

when use

add_field =& gt; ['Event:Message', '%{message}']

in the acces tracker I don't see the Event: Message field

I don't understand what you meant when talking about alias modification
Can you explain

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: