Issue with application_name field

I am running version 3.3.4 and I had setup a stream that was looking into the application_name field in syslog messages received from ASA firewall as it seemed to be available without any specific configuration. All of this on a Syslog TCP input.

application_name must match exactly %ASA-4-722037

From there I was using a pipeline to add some other custom fields and it was all working fine until I configure the command “logging device-id hostname” on my firewalls.

After this change on the firewalls graylog stopped recognising the application_name field for reasons that I can’t understand.

According to the doc here there should only be four default field timestamp, message, full_message, and source.

Any idea on where the field application_name was coming from in the first place?
Why forcing name on firewalls would cause this to stop working?

I don’t have a clue on where to start looking to troubleshoot this I would like to understand it before I look into changing the stream rules (use something different then application_name)

Anyone have any idea about the above?

It’s very obvious, why it happend. Graylog by default parse normal syslog messages format, so %ASA-4-722037 is parsed as application_name field. So if use cisco command to include hostname, it moved %ASA-4-722037 field to the right, so graylog use another field as appliacation_name. Because Cisco don’t follow cisco standard, best way is to setup Raw Syslog input and use pipeline rules to correctly extract field.

Check this great article for explanation:

Thanks for your input, there is/was no mention about the application_name field in the documentation so I was not sure where it was coming from. Also when I removed the command from the ASA device that field didn’t come back in Graylog…

Never used lookup before so I will try implementing what’s on the article.

Do you have any idea what he mean by “All of the above is needed with Graylog 2.4 - as of the new features in Graylog 3, this above would just be a content pack that includes everything.” in the article?

Not sure what content pack is.

Content pack is collection of extractors, pipeline rules, inputs, grok etc. so you can export as json file and import (backup) to another system (for sharing). Check docs.

I think, that it means, that all grok, pipeline rules, lookup tables can be exported as one content pack. In 2.4 version, some features to export some data was not possible as in newer graylog version

Thanks a lot, I will read up on this

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.