Message prefix when using Raw/Plaintext

I am testing Raw/Plaintext UDP input for the first time and noticed a discrepancy between the message on the device itself and what is shown in graylog.

Graylog cap

As shown above the message is prefixed with <xxx>, anyone can explain where this come from and how to avoid it?

Also if I run a test with a syslog input and include the full_message field, the message field will be as expected but the full_message field will contain the prefix as explained above.

Any idea?

Ok I have done some more digging.

I have used tcpdump/whireshark to capture packet an realised that the message does actually contain something before the actual message

So I went onto the RFC5424 and came across PRI and PRIVAL explained in page 8-10

Still not sure why this would come up sometime and sometime not but I would assume it would depend on what the devices actually send i.e. if they follow RFC or not?

It’s a expected behavior because you use RAW Input. Because syslog messages has format HEADER MESSAGE etc… and you use Raw Input, graylog saves complete syslog format without extraction of field at all, and not parse it (as Syslog Input).

There are 2 syslog formats: older RFC3164 and newer RFC5424

It depends of device, if they use syslog format (RFC3164, RFC5424) or not.

Thanks for your input @shoothub

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.