Hi
I have a problem with some of Graylog messages. When i verify them i notice that some messages have strange source. Source field was .Oct. What is this? Message details is as below:
facility
local7
level
4
message
16 03:10:37.889: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ***] [Source: *******] [localport: 22] [Reason: Login Authentication Failed] at 03:10:37 UTC Tue Oct 16 2018
sequence_number
815996
source
.Oct
timestamp
2018-10-16T03:25:26.357Z
Thanks.
I guess that you send them in via syslog without any modification and this is from some kind of appliance.
You should switch over to RAW Input and parse the complete message yourself with the processing pipelines for example.
Should this be a Cisco ASA/Nexus you might like to read this article: https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/
Thank you jan.
I create a Raw/Plaintext UDP Input and my problem solved
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
