I have syslog input in place to manage Fortigate firewall logs.
When log message has url with “=” all goes to sh…t. Graylog then parses using key=value and soon we have over 1000 fields…
example of url-field:
Above makes, IN ADDITION, field sD7nfaNYjGkkaqRCxhU1wQmc9R1aHbs9XL2GFMpl_Lo with value 131
url from the message-field:
I’ve tried using CEF-input, but it fails at the beginning to this:
java.lang.IllegalStateException: Could not parse timestamp. '<143>Mar 09 2020 15:52:38'
Suggestions for the best fix?
I was thinking of using pipeline, any thoughts? I would like to fix the message, not delete all messages with url…
Thank You in advance