Juniper MX480 Wrong Timestamps

Hello!

We have a Juniper MX480 that is sending both NAT Translation syslog messages, and general syslog messages to our Graylog server.

General syslog messages are sent in a structured syslog format, and Graylog is able to receive these messages and show the correct timestamp. NAT translations are only able to be sent in the WELF format.

This is an example packet from tcp dump for general syslog that displays the correct timestamp in search:
08:33:52.244837 IP (tos 0x0, ttl 63, id 54156, offset 0, flags [none], proto UDP (17), length 161)
172.17.XX.X.syslog > syslog.domain.com.10514: [udp sum ok] SYSLOG, length: 133
Facility auth (4), Severity error (3)
Msg: 1 2020-06-11T08:33:53.588-06:00 RouterName sshd 9129 - - error: %AUTH-3-PAM: authentication error for admin from 66.2XX.XXX.XXX

This is an example packet from tcp dump for NAT translations in WELF format that is displayed as the wrong time in search:
08:31:22.145526 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 195)
172.17.XX.X.syslog > syslog.domain.com.10514: [udp sum ok] SYSLOG, length: 167
Facility local2 (18), Severity info (6)
Msg: 2020-06-11 14:31:23: MX480-CGNAT{CGNAT-NHOP}JSERVICES_SESSION_CLOSE: application:none, ae0.32767 100.64.XX.XX:36190 [64.37.XX.XX:46623] -> 64.37.XX.XX:53 (UDP)\0x0a

Another example of a packet from tcp dump with structured data disabled that also shows the correct time when searching in the web interface:
Msg: Jun 11 08:53:34 RouterName sshd[10635]: %AUTH-3: error: PAM: authentication error for help from 66.2XX.XXX.XXX

The NAT Translation log messages that are sent using the WELF log format (which cannot be changed unfortunately) can be found under all messages. However, the timestamp is the same for every message: 2020-06-23 00:00:00:000

Can anyone point me in the right direction? I tried using a date converter but I’m not sure if I’m barking up the wrong tree, or if there is a solution in the documentation that I have not been able to find. Any help sure is appreciated!

Thanks

  1. Please send example message stored in graylog, what fields are parsed?
  2. You can use either extractor or pipeline rule to fix timestamp of message

in addition to @shoothub I need to add:

  • if no timezone information is given in the timestamp, Graylog assume that this is UTC
  • you can add “store full message” to syslog messages what allows you to see the original unparsed message.
    • you can extract the timestamp from that field and delete the field later to reduce the amount of data on disk
    • this field is often used for debugging and useful for that.

This is what the CGNAT message looks like when it is searched in Graylog. This is fixable with pipelines and extractors? Thanks for the tip!

Thanks Jan! I will try what you’ve told me and report back what I find. It’s appreciated!

Hey Guys,

First of all I updated to the latest version of Graylog and tried out the converter. I’m not having much luck getting the date from the full message into the highlighted date in the top left so they are searchable by date.

Here is a snippet:

Is there a resource you could point me to, that would help me get the highlighted dates to match, or at least be searchable?

Thanks,

Simplest way is to create extractor to extract timestamp (e.g usgin regex) from full_message and add Date converter to parse date:

Source field: full_message
Regular expression: <[0-9]+>(.*): MX480-CGNAT
Condition: Only attempt extraction if field contains string: MX480-CGNAT
Store as field: timestamp
Extraction strategy: Copy
Add converter: Date
Format string: yyyy-MM-dd HH:mm:ss
Timezone: select timezone

You guys are legends. I learned so much from this. Thank you!!