Hi,
the structured syslog from the Juniper SRX starts as follows:
RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.40 reason=“idle Timeout” source-address=“x.x.x.x” and so on.
Graylog parses the first string “RT_FLOW_SESSION_CLOSE” as field application_name= RT_FLOW but it should parse as RT_FLOW_SESSION_CLOSE
Any idea how to fix this?
I didn’t configure an extractor yet as all the other fields are parsed natively.
thx
Tom
he @tmichiels
i would send in that data to a RAW input and parse that on your own.
I guess that juniper is not following the RFC for syslog messages and so the parsing is not working proper.
Correct… I created a raw input and created my own grok filter, now everything parses correctly. I’ll post my grok filter on marketplace to help others 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
