Cisco IOS XE: anonimus source in log

my system:
Debian GNU/Linux 11 (bullseye)
elasticsearch-oss 7.10.2
graylog-server 4.3.12-1
mongodb-org 5.0.15

I get the logs of some “anonymous” devices (source
2011067: and progressives) and I so that some are cisco . How can I make viewing the logs easier? Investigating the cisco are :“Cisco IOS XE Software, Version 17.03.04
Cisco IOS Software [Amsterdam], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.3.4, RELEASE SOFTWARE (fc3)”
Help Me?

Hey @riccardo

You could try using a different input like RawPlaintext UDP/TCP see if that helps. Most, if not all our switches use that type of Input, then using a piepline to modify the logs and/or drop the ones we dont need.

I’m starting to use graylog. The documentation is too extensive and so I’m learning from examples. I created the input with the cisco standard port 514 (remapped 1514) and I see the logs of all my network devices (cisco and extreme). You suggested a RawPlaintext UDP/TCP input but I can use either RawPlaintext UDP or RawPlaintext/TC and using the same port 1514 I get no logs. I’m trying to use hrleinonen/graylog-cisco but it’s complicated and displaying little data. Could you be more specific do you have a json file for me to try??

Hey @riccardo

Here is an example of pipeline, you have to configure your own information into it thou.

rule "extract json"
    regex("(\\{.*\\})", to_string($message.message)).matches == true
   let json = regex("(\\{.*\\})", to_string($message.message), ["json"])["json"];
  // set_field("json", json);

set_fields(to_map(flatten_json(value: to_string(json), array_handler: "json")));

You best bet would be to look over the documention and this forum.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.