Cisco logs refuse to index

Graylog Central (peer support)
1

Hello,
Some logs coming from Cisco switches got indexed but some others coming from same brand and model Cisco switches are not indexed and dropped
We have Cisco Nexus switches C3548P-10GX some are indexed correctly others have their packet dropped.
tcpdump confirms that packets from both sources arrives on the graylog nodes on port 514
we have local redirection to port 1514 and it works for all of our sources except those switches
though the configuration are the same on both switch:
logging server XX.XX.XX.162
logging timestamp microseconds
logging monitor 7
logging level syslog 6
logging origin-id hostname
some following packets are indexed

Capture d’écran 2025-05-12 152100 syslog OK
Capture d’écran 2025-05-12 152100 syslog OK1335×180 8.36 KB

some following packets are dropped
Capture d’écran 2025-05-12 151810 Syslog fail
Capture d’écran 2025-05-12 151810 Syslog fail1332×154 7.89 KB

Here is the input configuration

image
image336×355 7.49 KB

  • OS Information:
    RedHat 8.10
    Graylog 5.0.13

What could be the issue on some switch that makes packet to be drop? but not on some others?
It remains mystery to me

Best regards

2

The first step in troubleshooting would be to change out the syslog input for a raw input and turn off all processing, then start to add things back one at a time.

If the message isnt syslog compliant the input will drop the message.

If the message is processed, but one of the fields is a different data type then it will be rejected when trying to store it. Storing a string in a number field etc.