Cisco IOS XE: anonimus source in log

my system:
Debian GNU/Linux 11 (bullseye)
elasticsearch-oss 7.10.2
graylog-server 4.3.12-1
mongodb-org 5.0.15

I get the logs of some “anonymous” devices (source
2011067: and progressives) and I so that some are cisco . How can I make viewing the logs easier? Investigating the cisco are :“Cisco IOS XE Software, Version 17.03.04
Cisco IOS Software [Amsterdam], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.3.4, RELEASE SOFTWARE (fc3)”
Help Me?
Grazie

Hey @riccardo

You could try using a different input like RawPlaintext UDP/TCP see if that helps. Most, if not all our switches use that type of Input, then using a piepline to modify the logs and/or drop the ones we dont need.

I’m starting to use graylog. The documentation is too extensive and so I’m learning from examples. I created the input with the cisco standard port 514 (remapped 1514) and I see the logs of all my network devices (cisco and extreme). You suggested a RawPlaintext UDP/TCP input but I can use either RawPlaintext UDP or RawPlaintext/TC and using the same port 1514 I get no logs. I’m trying to use hrleinonen/graylog-cisco but it’s complicated and displaying little data. Could you be more specific do you have a json file for me to try??

Hey @riccardo

Here is an example of pipeline, you have to configure your own information into it thou.

rule "extract json"
when 
    regex("(\\{.*\\})", to_string($message.message)).matches == true
then
   let json = regex("(\\{.*\\})", to_string($message.message), ["json"])["json"];
  // set_field("json", json);

set_fields(to_map(flatten_json(value: to_string(json), array_handler: "json")));
end

You best bet would be to look over the documention and this forum.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.