Parsing this way (in Graylog) is so very... manual. I'd rather go with
rsyslog's liblognorm, either in rsyslog itself or in a separate daemon, like
logdevourer I wrote. The rules then can be written in a regular text editor
and versioned.<p>Also: what happens if there is a typo in one of the rules and a log entry
doesn't get parsed? Does Graylog/grok have some indication that the log doesn't match? And where the mismatch starts? Because liblognorm does.