How Can I Find Messages in Graylog Based on Level (Syslog Severity/priority)

To find messages in Graylog based on their level (syslog severity/priority), you'll need to use Graylog's search and filter capabilities. Graylog indexes log messages, and you can query and filter these messages using its search interface.

Here’s how you can find messages based on syslog severity/priority in Graylog:

1. Understanding Syslog Severity Levels

Syslog severity levels (or priorities) are numeric values that represent the severity of a log message. Here are the standard syslog severity levels:

• 0: Emergency
• 1: Alert
• 2: Critical
• 3: Error
• 4: Warning
• 5: Notice
• 6: Informational
• 7: Debug

These severity levels are often included in syslog messages as part of the log’s metadata.

2. Accessing Graylog

Log in to your Graylog web interface.

3. Searching for Messages

To search for messages based on their severity level:

1. Go to the Search Page: Navigate to the search page in Graylog. This is where you can build and execute queries to find specific log messages.

2. Build a Search Query:

   Graylog uses its own search syntax to query logs. You can use the following syntax to filter messages based on syslog severity levels.

   Basic Query Example: If your log messages contain a field for syslog severity (often named something like syslog_severity or level), you can use this field to filter messages.

    

   Copied!

   syslog_severity:4
   

   This query will return all messages with a severity level of 4 (Warning).

   Advanced Query Example: If you want to search for multiple severity levels, you can use the OR operator:

    

   Copied!

   syslog_severity:3 OR syslog_severity:4
   

   This query will return messages with severity levels 3 (Error) or 4 (Warning).

3. Search by Numeric Severity: If Graylog does not automatically extract syslog severity levels, you may need to search by numeric values directly in the message content. For instance:

    

   Copied!

   message:"Severity 3"
   

   This would search within log messages containing the string "Severity 3".

4. Use Fields: If syslog severity is parsed into a specific field, such as level, severity, or priority, adjust your query accordingly. For example:

    

   Copied!

   level:4
   

5. Search with Time Range: You can also specify a time range for your search to narrow down results to a specific period.

4. Using Graylog Pipelines or Extractors

If the severity level is not parsed correctly, you may need to create or adjust extractors or pipelines in Graylog to properly extract and parse the syslog severity from your logs.

1. Create Extractors: Go to the inputs configuration and add an extractor that parses the severity from the log messages.
2. Set Up Pipelines: Use pipelines to transform log messages and extract fields based on patterns and rules.

5. Save and Share Searches

Once you have set up your queries, you can save them as saved searches for quick access or create dashboards to visualize logs based on severity levels.

Example Query in Graylog Interface

To search for error and critical messages within a specific timeframe:

1. Go to the search page.

2. Enter the following query:

    

   Copied!

   syslog_severity:2 OR syslog_severity:3
   

3. Set the desired time range.

4. Run the search to view the results.

This approach will help you efficiently find and analyze log messages based on their severity level in Graylog.

Got an article suggestion? Let us know

Explore more

Rsyslog

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.