Showing results for 
Search instead for 
Did you mean: 
Level 7

Cacti Templates and Graylog Parsing

Hi there,

since I really like OpenSource tools, here comes two ways we made monitoring the MWG a bit easier:

Cacti • View topic - McAfee WebGateway 7.5 Graphs -> Graphs and Installation setup to get the MWG monitored
with all private SNMP-MIB information available.

As for collecting logs in Graylog the "efficient" way (aka structured/indexed logs), I used the very good guide
about how to export logs in "NITRO/SIEM" format from here:

I did adjust the output in 2 ways: we erased the first and second field (first was just the apliance name, second was date),
so our ruleset looks like this:

The logs come in a pretty structered way (although not GELF) and can be parsed with the new Graylog 1.0 with a

grok-pattern like that:


You do need to import some grok-patterns beforehand in Graylog and make a new "input" in order to use the grok-extractor.
Importing the grok patterns is fairly straight forward: copy and paste "grok-patterns" from here Grok Debugger to a text file
and import that text-file into Graylogs "import pattern file" button.

You´ll get indexed logs like this:

It works for me mayhaps for you as well .

3 Replies
McAfee Employee

Re: Cacti Templates and Graylog Parsing

Very cool stuff!

0 Kudos
Level 12

Re: Cacti Templates and Graylog Parsing


0 Kudos
Level 7

Re: Cacti Templates and Graylog Parsing

Since i can´t seem to edit my original post, here´s some adjustment to the grok filter since I noticed some messages weren´t parsed at all:


Also, there´s a limitation with the grok-implementation in Graylog that you can not use the grok-conversions for field, ie turning strings into integer or floats.
That might might be added somewhen, the syntax change would maybe be like that: %{NUMBER:mwg_bytesTOclient:int}, etc.

0 Kudos