Message source is a port?

Hi there,
I’m getting a lot of messages on my Graylog portal that there’s a flapping “T1” interface. I want to identify the issue, but the source is always 48656: and changes every message, although it remains a 48xxx: source. Is this a normal occurrence? I’d like to be able to identify the source of thee messages so I can see if there is a flapping port that needs to be managed.

Thanks!
O

I guess that your devices do not send valid syslog.

Switch the input to RAW and split the data yourself. If you use Cisco devices this blog post might help with that: https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/

Oh I see, so it’s just that the actual sources for these messages are devices which are not sending Syslog-compliant messages? For context I’m on a corporate network with a few thousand devices so if there’s a small chunk that are sending bad messages I’m not too freaked out.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.