my world of IT

Graylog

Graylog JSON extractor ‘skipping’ keys and values

Published 13 March, 2025 | By James

In having a play with a general purpose way to get CSVs and other log data into Graylog with PowerShell I’ve been converting the files contents into JSON to then import over RAW HTTP – hardly the most speedy way but as a proof of concept it works.

However, after configuring a JSON extractor (System > Inputs > (your input) > Manage extractors), I was finding that many fields were just ‘missing’ in the message stream, in importing data from Windows Defender EDR just the Sha256 and Sha1 fields were present but with everything else seemingly skipped over.

The solution was simple – although the ‘Try’ function in Graylog displays a full set of expected fields this feature appears ever so slightly bugged in that it permits the use of whitespace characters in the key extraction example but then without ticking the ‘Replace whitespace in keys’ box it then doesn’t extract those keys with whitespaces in actual use.

Simply put – tick that ‘Replace whitespace in keys’ box, enter your chosen replacement and you’ll be good to go.

Posted in Security | Tagged , | Leave a comment

Processing Cortex XDR Syslog/CEF with Graylog

Published 21 July, 2020 | By James

ResultIt’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can break out the individual fields in the log entry.

In looking at the documentation it appears that the logs are in the Comment Event Format (CEF) but are then wrapped up in syslog for transmission. Although Graylog can absorb CEF directly this additional layer of syslog means we have to take in the syslog and then send the event messages through a processing pipeline in Graylog to extract the CEF data.

So onto the guide – which assume you are familiar with the operation of the Cortex XDR management console and Graylog (shown version is 3.3), for simplicity the code snippet you’ll need is also shown below from GitHub.

1
2
3
4
5
6
7
8
9
0-1
0-2
10

Code snippet from the screenshot sequence:

Posted in Networking, Software, The Cloud | Tagged , , , , , | Leave a comment
Recent Posts
About

my world of IT is a blog about both the business and consumer world of IT as seen by a common garden Security and Networking consultant. For more information click here!

Search