Graylog and Cisco syslog truncated


#1

I use Graylog as a syslog for my Cisco switches.
There are several cases in which the message gets truncated, I suspect due to syntax.

The original message from the switch:

Aug 8 18:43:07: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: [MAC Address]

However, when the message reaches Graylog, all I see in the message field is the Mac address.

I suspect that only the last colon (’:’) is parsed.
What can be done in this case?


(Jan Doberstein) #2

Did you know this blog posting

Maybe this will help you.


#3

Thank you for your help.
Turns out the content pack has been updated, or rather, forked, to include the colon and now messages are coming as they should, except for timestamps but I’ll fix that.

Thanks again.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.