LM Logs multiple capture group parsing

Anonymous

9 months ago

I have two logsources for syslog and it’s not very easy to understand why, but it has something to do with the source IP address and resolvability or something.

All Syslog (IP):

Method = IP
Key = system.ips

All Syslog (Hostname)

Method = IP
Key = system.hostname

I’d have to a pcap on two different collectors to see the actual difference between them incoming since LM doesn’t surface any details about what actually came in (would be nice to see the raw data by turning up a debug level somewhere).

All i know is if i change the applies to for either of these logsources so that they include the devices that should belong to the other logsource, the mapping suddenly, completely fails. They don’t get mapped to any devices at all.

Theoretically, these two logsources could be combined into one if you’re using collector v35.100+. This is because there’s a new “OR” option in the resource mapping section that should allow both of these mapping to exist side by side and allow one to work when the other fails. I haven’t been able to test yet because we’re not on that collector version across the board yet (it’s not GA yet, just early access/beta).

Forum Discussion

LM Logs multiple capture group parsing

Related Content

New user - looking for information on parsing fields from Syslog message field

capturing Multipe instances Data

Seeing Failed To Parse ServiceNow Integration

Using Postman to create multiple Websites via API & CSV?

Issue in capturing historical data

Recent Discussions

Can anyone help modify this Datasource to be able to use any port?

Dashboard updates

Does anyone monitor their iDracs with LM? Tons of duplicate alerts

How do you monitor Running Services on Linux boxes?

Event Sources SNMP and Windows collectors?