Logs from AIX machine giving source as message in graylog

Hi Guys,

need help. I have setup of graylog its working fine for logs from rsyslog on linux but for aix machine I am using syslog as forwarder and problem which Iam facing is source is coming as message instead of server name.

Timestamp source
2019-03-27 14:46:01.000 Message

how do fix this ?

Br,
Gurpreet

fix your sending source …

what type of software did you use on the AIX machines?

Hi Jan,

I am using syslog forwarder on aix side. This is the entry in syslog.con - *.debug @141.247.233.209

again, what Software did you use?

rsyslog, syslog-ng?

You need to configure that software to follow one of the two possible syslog standards. What is RFC5424 or RFC3164 - when that is configured correctly you will have your issues removed.

yes, Jan its configured I am using default syslog in aix. messages are getting forwarded but its say on graylog as message forwrded from instead of just server name for linux its working fine

I hope I am not able to explain your properly. Actually the problem is I am getting the messages from my aix machine but in source field I am getting "message forwarded from "

As mentioned in the below document.
https://rsa.jiveon.com/docs/DOC-48972

My objective is to receive in sources just not message forwarded from :confused:

but the document gives you a solution already:

When start syslogd daemon on AIX, don’t use -n flag.

@jan

No Jan If I use -n flag it will suppress all the message i.e Message forwarded from instead I am seeing source name as syslogd. My concern is to remove phrase message forwarded from … I still need source to give me hostname in the source field so that I can run my queries successfully.

if you forward you message to a RAW input in Graylog - how does that look like?

btw. you have seen that this is not bad behaviour of Graylog and we fix the shitty stuff others send right … just to make it clear.

@jan agree its not fault. I appreciate your help but I am new to graylog just wondering if I can have meanigful hostname in source field … I know it has to do with AIX syslog instead of graylog

in the end you can fix anything in Graylog - but it will put some load on the system. So you should have clean messages if possible. And having the source following standards is the minimal I can think of.

I personal would create a RAW input and check how messages are ingested into that and use the processing pipeline to normalize and split the messages to my needs and wishes.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.