my system:
Debian GNU/Linux 11 (bullseye)
elasticsearch-oss 7.10.2
graylog-server 4.3.12-1
mongodb-org 5.0.15
I get the logs of some “anonymous” devices (source
2011067: and progressives) and I so that some are cisco . How can I make viewing the logs easier? Investigating the cisco are :“Cisco IOS XE Software, Version 17.03.04
Cisco IOS Software [Amsterdam], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.3.4, RELEASE SOFTWARE (fc3)”
Help Me?
Grazie
Hey @riccardo
You could try using a different input like RawPlaintext UDP/TCP see if that helps. Most, if not all our switches use that type of Input, then using a piepline to modify the logs and/or drop the ones we dont need.
I’m starting to use graylog. The documentation is too extensive and so I’m learning from examples. I created the input with the cisco standard port 514 (remapped 1514) and I see the logs of all my network devices (cisco and extreme). You suggested a RawPlaintext UDP/TCP input but I can use either RawPlaintext UDP or RawPlaintext/TC and using the same port 1514 I get no logs. I’m trying to use hrleinonen/graylog-cisco but it’s complicated and displaying little data. Could you be more specific do you have a json file for me to try??
Hey @riccardo
Here is an example of pipeline, you have to configure your own information into it thou.
rule "extract json"
when
regex("(\\{.*\\})", to_string($message.message)).matches == true
then
let json = regex("(\\{.*\\})", to_string($message.message), ["json"])["json"];
// set_field("json", json);
set_fields(to_map(flatten_json(value: to_string(json), array_handler: "json")));
end
You best bet would be to look over the documention and this forum.