Graylog Source-field configuration error?

BjornF · January 17, 2018, 6:44am

Hello!
I’m new to Graylog and i am now in the process of setting it up.

I have come across a strange thing regarding the “source”-field (syslog):
It seems in some cases the source data shows as a date or the device uptime.

I hooked up a couple of Cisco switches of different models (2960 and 3750) and in graylog they both present like this:
Source: 22w1d

I thougt it was a Cisco issue but then i also hooked or Clavister firewall up and it present the same way but
with a bracket and today’s date as “source”.
Source: [2018-01-17

I have followed Ciscos recommended steps for setting a interface as source but it does not make any difference.
Is this really a device configuration error or is it in the Graylog conf?

Best regards
Bjorn

jan · January 17, 2018, 7:24am

everything points that the syslog message is in some dialect that is not supported by Graylog.

You might want to switch to a “RAW/Plain text” input and parse the fields yourself out of the messages.

The second option is to ask the vendor how you can send a log message that is compliant to RFC 3164 or RFC 5424.

system · January 31, 2018, 7:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cisco 3750 logs showing date as source Graylog Central (peer support)	3	308	May 18, 2023
No message sources found Graylog Central (peer support)	6	1647	April 5, 2017
Message source is a port? Graylog Central (peer support)	3	511	November 8, 2018
Parsing syslog messages Graylog Central (peer support)	7	4339	October 18, 2017
Log message with strange source Ip address Graylog Central (peer support) key_value	6	527	April 21, 2022

Graylog Source-field configuration error?

Related Topics