How to handle multi-lined logs from Cisco Router

vvs2705 · December 12, 2019, 8:53am

Hi.

I,ve got Graylog 3.1.2. I’m trying to setup a syslog for cisco router (Cisco IOS Software, 7200 Software, Version 15.2). I’ve upploaded Content Pack “Cisco Switches And Routers”. In Input CISCO_IOS_SYSLOG I see log messages from cisco router which are splitted into parts – each part of origional cisco log message became separate log message in Graylog, because the origional cisco log messages are multi-lined and got CR/LF delemiter for parts. But I would like to get the whole messages instead of parts.

Which could be the best solutions for handling multi-lined logs with Graylog. To have Logstash (or something else) before Graylog to merge multi-line logs? Or may be there is native technology in Graylog?

Valery

jan · December 12, 2019, 10:17am

he @vvs2705

currently it is not possible to have a an input that waits for multi line messages to be complete - as in a clustered environment it is hard to predict that all messages are coming to the same server.

Graylog can only work with multiline messages if they are submitted as one message at all - so merge them on the sender is the way to go.

You might want to create a feature request to make such possible: https://github.com/Graylog2/graylog2-server/issues

Topic		Replies	Views
Advice and Guidance Please - Combining Cisco SIP Syslog messages Graylog Central (peer support)	2	1294	June 25, 2019
Graylog stream multiline logs Graylog Central (peer support) sidecar , nxlog , multi-linenx	0	1000	October 22, 2020
Cisco MultiLine Syslog Graylog Central (peer support)	0	65	July 15, 2024
Multiline log messages Graylog Central (peer support)	0	2961	June 2, 2017
How to stream docker logs with multiline to graylog Graylog Central (peer support)	2	4538	July 5, 2018

How to handle multi-lined logs from Cisco Router

Related topics