How to remove Graylog Header when sending logs with Syslog Outputs

Graylog Add-ons
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hello,
When I forward events to an external syslog with the syslog output, there is more fields, example :
Logs from cisco client to external syslog without graylog:
CLIENTNAME: 288725: Jun 13 09:30:40: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/23 with BPDU Guard enabled. Disabling port.
Logs from cisco client to graylog to external syslog :
13 15:32:31 CLIENTNAME: local7 - 2358347: Jun 13 13:32:30: %ADJ-5-RESOLVE_REQ_FAIL: Adj resolve request failed for 10.48.10.60 on Vlan2010

2. Describe your environment:

  • OS Information:
    Docker
  • Package Version:
    Graylog 4.X
  • Service logs, configurations, and environment variables:
    Syslog Plugin last version

3. What steps have you already taken to try and solve the problem?
I have test every format option on plugin (aka plain full transparent)

4. How can the community help?
Maybe you have encountered the same issue

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hey @opak

What type of output are you using? For Open you have a choice of GELF or STDOUT.

3

Hi Gsmith thx a lot !
I use the syslog output plugin and I have tried every output type without success

4

In Graylog Open, you can forward via a syslog output, but it does not send the same packet it received. It sends a copy of the stored log, so you get the message field, with the original datagram, and some extra fields that Graylog added when it arrived, and then it’s all given a new syslog header.

Forwarding an “unmolested” copy of the original syslog message (as Graylog first received it) requires the Operations Output Framework. That is only available today in Graylog Operations or Graylog security, though now that I think of it, it may be supported in the free Graylog Small Business version (<2GB).

As a side note, if you are using the Operations Output Framework, you need to first turn on the “store full message”. It contains the original packet and it will be this field that is forwarded.