Hello everyone,
I have a problem with the syslog messages from a Fortigate.
I´m using a bunch of extractors to split up the syslog message from the Fortigate into fields, which is working very good. But sometimes in the URL-Log of the Fortigate contains a random “=” & this is somehow creating another field with a random name. I cannot figure out how to stop this.
Could you please help me on this?
Here are some screenshots:
Hello & Welcome
I also have Fortigate firewalls 60,100, and 200 series. So, I need to ask a couple question.
What kind of extractors are you using (GROK, REGX, etc…) ?
What version of Graylog do you have installed?
Can you show us how you made your extractors?
Have you tried tesing that message/s out from the extractors you made to see which one might be creating this issue?
Here is an example for Regular expression.
Hope that helps.
Hello Gsmith,
I´ve just tried to swap over from syslog format to cef format, but it has the same problem…
I do not even have any extractors running in the cef format & still getting this problem:
it almost looks like Graylog is separating the full message into parts with every “=”.
Maybe it has to do with the “select input”, do you use plain text?
I´m running Graylog version 4.0.6+40b7be5.
Hello,
That will happen when not using the input to ingest your logs.
Yes, our inputs are Raw/Plaintext UDP and we use ports above 1024.
Since I swap over to Raw/Plaintext the problem is solved.
Thank you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
