Cisco log and "override_source"

mayer · January 3, 2018, 10:04am

Dear All,

I defined different input ports for different groups of server. And there I defined “override_source”. For example all mail gateways are reporting to the same destination port. So I can search with a “source:” statement all identical services but I can still see the server from which the log entry is coming. Clients are Solaris and different Linux server all running “rsyslog”.

I tried the same way with the Cisco switches and routers. But when I use “override_source” I loose the information of the Cisco switch name or IP address. Which is the most important information.

Is there any possibility to merge all Cisco logs with a common search attribute without loosing the information of the device itself.

Kind regards
Hans

jochen · January 3, 2018, 10:24am

If all the log messages of your Cisco devices are received by the same input, you can add an arbitrary static field via the input.

Other than that, you could add an arbitrary field using the processing pipelines:
http://docs.graylog.org/en/2.4/pages/pipelines.html

mayer · January 3, 2018, 5:31pm

Hi Jochen,

many thanks for your swift reply.
I add a static field.
That’s exactly what I was looking for. Thanks.

Kind regards
Hans

system · January 17, 2018, 5:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Switch Logs message Graylog Central (peer support)	15	2306	April 25, 2019
Plugin modify input Graylog Add-ons	2	111	April 16, 2024
Search by source IP Graylog Central (peer support)	4	7453	December 4, 2018
Problem with Cisco Routers / Switches with source value Graylog Central (peer support) pipeline-rules	2	2054	June 24, 2020
Cisco Logs \| Graylog Graylog Central (peer support)	11	6785	February 3, 2018

Cisco log and "override_source"

Related topics