Graylog not parsing hostname in log messages

• OS Information:

FreeBSD

• Package Version:

graylog-4.2.6

• Service logs, configurations, and environment variables:
  N/a

3. What steps have you already taken to try and solve the problem?
See: Source doesn't always show host or IP

4. How can the community help?

This is in follow up to the post I made a few months ago, see link above.

The suggestion to try a raw/plaintext input did at least start capturing the source’s IP address, which is an improvement to say none the least.

image1804×285 17.3 KB

I used tcpdump to capture a similar message:

01:01:52.557426 IP (tos 0x0, ttl 64, id 37585, offset 0, flags [none], proto UDP (17), length 184)
    storage.morante.com.syslog > log.morante.com.5444: [udp sum ok] SYSLOG, length: 156
        Facility daemon (3), Severity notice (5)
        Msg: May  3 01:01:19 1 2022-05-03T01:01:19.118629-04:00 storage.morante.com mountd 4004 - - mount request from 10.8.8.249 for non existent path /mnt/CDImages
        0x0000:  3c32 393e 4d61 7920 2033 2030 313a 3031
        0x0010:  3a31 3920 3120 3230 3232 2d30 352d 3033
        0x0020:  5430 313a 3031 3a31 392e 3131 3836 3239
        0x0030:  2d30 343a 3030 2073 746f 7261 6765 2e6d
        0x0040:  6f72 616e 7465 2e63 6f6d 206d 6f75 6e74
        0x0050:  6420 3430 3034 202d 202d 206d 6f75 6e74
        0x0060:  2072 6571 7565 7374 2066 726f 6d20 3130
        0x0070:  2e38 2e38 2e32 3439 2066 6f72 206e 6f6e
        0x0080:  2065 7869 7374 656e 7420 7061 7468 202f
        0x0090:  6d6e 742f 4344 496d 6167 6573

The message does indeed apear to be multi-line as suspected in the referenced post:

Facility daemon (3), Severity notice (5)
Msg: May  3 01:01:19 1 2022-05-03T01:01:19.118629-04:00 storage.morante.com mountd 4004 - - mount request from 10.8.8.249 for non existent path /mnt/CDImages

It seems like maybe I need to change the way it’s parsed on Graylog’s side? Perhaps this could be an option “FreeBSD Syslog UDP” or “FreeBSD Syslog TCP” when creating inputs?

Here’s another example (with a syslog input):

image1829×435 19.3 KB

    europa.morante.com.syslog > log.morante.com.5444: [udp sum ok] SYSLOG, length: 156
        Facility user (1), Severity info (6)
        Msg: May  3 01:01:51 devd[1426]: Processing event '!system=CAM subsystem=periph type=error device=ses0 serial="" cam_status="0x44" CDB="1c 01 0a 80 00 00 " '
        0x0000:  3c31 343e 4d61 7920 2033 2030 313a 3031
        0x0010:  3a35 3120 6465 7664 5b31 3432 365d 3a20
        0x0020:  5072 6f63 6573 7369 6e67 2065 7665 6e74
        0x0030:  2027 2173 7973 7465 6d3d 4341 4d20 7375
        0x0040:  6273 7973 7465 6d3d 7065 7269 7068 2074
        0x0050:  7970 653d 6572 726f 7220 6465 7669 6365
        0x0060:  3d73 6573 3020 7365 7269 616c 3d22 2220
        0x0070:  6361 6d5f 7374 6174 7573 3d22 3078 3434
        0x0080:  2220 4344 423d 2231 6320 3031 2030 6120
        0x0090:  3830 2030 3020 3030 2022 2027

Hello,

I did find this post here but unfortunately I don’t see it resolved.

The screenshots look like firewall/switch messages? So you probably cant use a log shipper. If you could, FileBeat would be able to correct this issue with multi-line messages.

If this is correct and these messages/logs are from Firewall/Switch then a pipeline would be your best bet for correcting this.

Here are some links I found they might help.

https://graylog.zammad.com/help/en-us/15-pipeline-rule-samples

FileBeat

• Manage multiline messages | Filebeat Reference [8.11] | Elastic

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.