I use Graylog as a syslog for my Cisco switches.
There are several cases in which the message gets truncated, I suspect due to syntax.
The original message from the switch:
Aug 8 18:43:07: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: [MAC Address]
However, when the message reaches Graylog, all I see in the message field is the Mac address.
I suspect that only the last colon (’:’) is parsed.
What can be done in this case?