Cisco log and "override_source"


(Hans Mayer) #1

Dear All,

I defined different input ports for different groups of server. And there I defined “override_source”. For example all mail gateways are reporting to the same destination port. So I can search with a “source:” statement all identical services but I can still see the server from which the log entry is coming. Clients are Solaris and different Linux server all running “rsyslog”.

I tried the same way with the Cisco switches and routers. But when I use “override_source” I loose the information of the Cisco switch name or IP address. Which is the most important information.

Is there any possibility to merge all Cisco logs with a common search attribute without loosing the information of the device itself.

Kind regards
Hans


(Jochen) #2

If all the log messages of your Cisco devices are received by the same input, you can add an arbitrary static field via the input.
02

Other than that, you could add an arbitrary field using the processing pipelines:
http://docs.graylog.org/en/2.4/pages/pipelines.html


(Hans Mayer) #3

Hi Jochen,

many thanks for your swift reply.
I add a static field.
That’s exactly what I was looking for. Thanks.

Kind regards
Hans


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.