Graylog and Cisco syslog truncated

exabyte4 · August 9, 2018, 7:13pm

I use Graylog as a syslog for my Cisco switches.
There are several cases in which the message gets truncated, I suspect due to syntax.

The original message from the switch:

Aug 8 18:43:07: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: [MAC Address]

However, when the message reaches Graylog, all I see in the message field is the Mac address.

I suspect that only the last colon (’:’) is parsed.
What can be done in this case?

jan · August 10, 2018, 6:55am

Did you know this blog posting

Maybe this will help you.

exabyte4 · August 10, 2018, 12:38pm

Thank you for your help.
Turns out the content pack has been updated, or rather, forked, to include the colon and now messages are coming as they should, except for timestamps but I’ll fix that.

Thanks again.

system · August 24, 2018, 12:38pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem to receive in interface log Graylog Central (peer support)	1	824	February 27, 2017
Problem with Cisco Routers / Switches with source value Graylog Central (peer support) pipeline-rules	2	2180	June 24, 2020
Incomplete message body after arrival to Graylog Graylog Central (peer support)	8	522	February 7, 2023
Syslog from Meraki generates load and lot of graylog logs Graylog Central (peer support)	3	1538	April 18, 2018
Cisco 3850 switch stack sending garbage syslog messages Graylog Central (peer support)	1	887	January 1, 2018

Graylog and Cisco syslog truncated

Related topics