Hello!
We have a Juniper MX480 that is sending both NAT Translation syslog messages, and general syslog messages to our Graylog server.
General syslog messages are sent in a structured syslog format, and Graylog is able to receive these messages and show the correct timestamp. NAT translations are only able to be sent in the WELF format.
This is an example packet from tcp dump for general syslog that displays the correct timestamp in search:
08:33:52.244837 IP (tos 0x0, ttl 63, id 54156, offset 0, flags [none], proto UDP (17), length 161)
172.17.XX.X.syslog > syslog.domain.com.10514: [udp sum ok] SYSLOG, length: 133
Facility auth (4), Severity error (3)
Msg: 1 2020-06-11T08:33:53.588-06:00 RouterName sshd 9129 - - error: %AUTH-3-PAM: authentication error for admin from 66.2XX.XXX.XXX
This is an example packet from tcp dump for NAT translations in WELF format that is displayed as the wrong time in search:
08:31:22.145526 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 195)
172.17.XX.X.syslog > syslog.domain.com.10514: [udp sum ok] SYSLOG, length: 167
Facility local2 (18), Severity info (6)
Msg: 2020-06-11 14:31:23: MX480-CGNAT{CGNAT-NHOP}JSERVICES_SESSION_CLOSE: application:none, ae0.32767 100.64.XX.XX:36190 [64.37.XX.XX:46623] -> 64.37.XX.XX:53 (UDP)\0x0a
Another example of a packet from tcp dump with structured data disabled that also shows the correct time when searching in the web interface:
Msg: Jun 11 08:53:34 RouterName sshd[10635]: %AUTH-3: error: PAM: authentication error for help from 66.2XX.XXX.XXX
The NAT Translation log messages that are sent using the WELF log format (which cannot be changed unfortunately) can be found under all messages. However, the timestamp is the same for every message: 2020-06-23 00:00:00:000
Can anyone point me in the right direction? I tried using a date converter but I’m not sure if I’m barking up the wrong tree, or if there is a solution in the documentation that I have not been able to find. Any help sure is appreciated!
Thanks