Change Source from Received Log (Huawei Switch)

Hi,

I searched about this theme in similar topics but I didn’t figure out how to change the source of received logs using Extractors or Pipelines

My scenario:

I have 26 Huawei Devices (S5720 and S6730 switches) that send logs to Graylog in this style:

message:
Feb 22 2021 13:32:41 SW3-PE-NMM-C01-07 %%01SHELL/6/DISPLAY_CMDRECORD(s)[2622]:Recorded display command information. (Task=VT0, Ip=172.16.40.253, VpnName=, User=admin, AuthenticationMethod="Local-user", Command="display esn")

source:
Feb

Even setting up the source in Huawei device (I tried the loopback0 address), Graylog receives the source as the current month (Feb)

Huawei info-center config:

info-center loghost source LoopBack0
info-center loghost 172.16.16.231 port 8514

I can’t distinguish which log belongs to each Huawei device:

I tried some extractor examples, but they are a pretty complex to me yet:

Maybe this doesn’t make any sense:

%{MONTH} %{DAY} %{YEAR} %{HOUR} %{HOSTNAME} %{DATA}

How do I can change the source address to the hostname (in this example: SW3-PE-NMM-C01-07) ?

how is your input configured? you may need to change it to a RAW text input.

I’ve configured one Syslog UDP Input on port 8514:

Syslog UDP Syslog UDP 1 RUNNING

allow_override_date: true
bind_address: 172.16.16.231
expand_structured_data: false
force_rdns: false
number_worker_threads: 1
override_source: <empty>
port: 8514
recv_buffer_size: 262144
store_full_message: false

Do I need to change store_full_message to true?

Is it a good practice to create a new UDP Input (maybe Port 8515) to receive/process only those logs from Huawei?

I would try setting your input type to RAW UDP and seeing if that fixes it (or changes the listed source). It may be that Huawei devices aren’t true syslog.

I do not typically store full message, others may. I find that it helps me at times but is not worth the drawback unless I’m troubleshooting something because if you are parsing the data AND storing the full message, you will effectively double the storage for each message. If I need it, I’ll turn it on and then turn it off.

As for the other input question, I’m not sure there is an definitive answer for it, for some people it may make sense and be good practice to receive logs on different ports, for others it may not. It depends on your use case and the sending system’s capabilities. For Example, some systems can not send syslog to anything other than UDP 514. In this case you have to handle it on the receiving side as you have no other option. Other times you may have the option and want to send different messages to different destination or ports. That’s for you to decide what’s best.

I created another input: Raw UDP as you suggested

Now the source of messages coming from Huawei devices are set as an IP address (the loopback0 address because of info-center loghost source LoopBack0 command):

message
<190>Feb 22 2021 19:11:31 SW3-PE-NMM-C01-07 %%01SHELL/6/DISPLAY_CMDRECORD(s)[2716]:Recorded display command information. (Task=VT0, Ip=172.16.40.253, VpnName=, User=admin, AuthenticationMethod="Local-user", Command="display esn")

source
10.0.0.7

timestamp
2021-02-22 15:07:06 -04:00

And graph now shows each device as a slice from pizza:

Thank you @cawfehman

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.