Upgraded from 2.5 to 3.0 today and all is mostly working fine. However, I’m pulling syslog from a Sonicwall device which has been working fine, even for a short period following the upgrade. Now I’m getting errors suggesting it cannot run data conversion as part of an extractor:
2019-02-18T12:49:30.699Z ERROR [Extractor] Could not apply converter [DATE] of extractor [a929827b-de1a-49e9-ac31-9bd81bd320a1].
java.lang.IllegalArgumentException: Invalid format: “id=firewall sn=2CB8ED054567 time…”
Nothing has changed with the message format, or the regex for parsing the date, I can confirm these work manually.
I may have had a simillar issue where my tests worked out fine but still I wasn’t seeing any fields being parsed.
First place where you can look is under details next to the extractor itself. It should show metrics on how many hits and misses it has. If it shows hits, and is counting up, its working.
The reason for the data conversion might be that the fields it finds does not match the headers you’ve defined. If this is the case, you can see this in your logs (mine litterally said it couldn’t parse because fields found (15) did not match headers (14).
Turns out by coincidence our firewalls had failed over round about the same time and the secondary simply wasn’t sending many syslog messages. Failed them back and boom!
