Graylog Source-field configuration error?

BjornF · January 17, 2018, 6:44am

Hello!
I’m new to Graylog and i am now in the process of setting it up.

I have come across a strange thing regarding the “source”-field (syslog):
It seems in some cases the source data shows as a date or the device uptime.

I hooked up a couple of Cisco switches of different models (2960 and 3750) and in graylog they both present like this:
Source: 22w1d

I thougt it was a Cisco issue but then i also hooked or Clavister firewall up and it present the same way but
with a bracket and today’s date as “source”.
Source: [2018-01-17

I have followed Ciscos recommended steps for setting a interface as source but it does not make any difference.
Is this really a device configuration error or is it in the Graylog conf?

Best regards
Bjorn

jan · January 17, 2018, 7:24am

everything points that the syslog message is in some dialect that is not supported by Graylog.

You might want to switch to a “RAW/Plain text” input and parse the fields yourself out of the messages.

The second option is to ask the vendor how you can send a log message that is compliant to RFC 3164 or RFC 5424.

system · January 31, 2018, 7:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with Cisco Routers / Switches with source value Graylog Central (peer support) pipeline-rules	2	1986	June 24, 2020
Problem with syslog formating Graylog Central (peer support)	2	68	July 29, 2024
Cisco 3750 logs showing date as source Graylog Central (peer support)	3	463	May 18, 2023
Invalid source field in Graylog messages Graylog Central (peer support)	3	757	November 3, 2018
No message sources found Graylog Central (peer support)	6	1717	April 5, 2017

Graylog Source-field configuration error?

Related Topics