jhaar
commented
8 years ago Hi Rajesh
Sorry this took so long. I don't use github but graylog team "made me" publish my extractor and now I'm having to support it! (didn't expect that ;-) As I don't come over to github very often, I didn't notice there was a question. But now I get it :-)
To import an extractor, you go System->Inputs and choose the Input that contains your syslog/snort data. Then choose "Manage extractors" and in that page, there's an "Import" option under "Actions". Then import the file and you're done
I have downloaded the snort extractor from https://marketplace.graylog.org/, successfully imported appliance-syslog-udp. as per my understand, All my snort extractors are pointing to system/input-> appliance-syslog-udp -> manage extractors - > Source field : messages. so i have to use that search -> Fields ->message filter to filter the logs further. am i correct?.
If yes, i want to use separate search -> Fields ->snort_message or snort_ip .. etc,
what is the process to create separate search -> Fields using snort extractor.