Invalid source field in Graylog messages


(Younes) #1

Hi
I have a problem with some of Graylog messages. When i verify them i notice that some messages have strange source. Source field was .Oct. What is this? Message details is as below:

facility

local7

level

4

message

16 03:10:37.889: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ***] [Source: *******] [localport: 22] [Reason: Login Authentication Failed] at 03:10:37 UTC Tue Oct 16 2018

sequence_number

815996

source

.Oct

timestamp

2018-10-16T03:25:26.357Z

Thanks.


(Jan Doberstein) #2

I guess that you send them in via syslog without any modification and this is from some kind of appliance.

You should switch over to RAW Input and parse the complete message yourself with the processing pipelines for example.

Should this be a Cisco ASA/Nexus you might like to read this article: https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/


(Younes) #3

Thank you jan.
I create a Raw/Plaintext UDP Input and my problem solved


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.