Graylog version : 3.2.5
OS : CentOS 7
Hi I am pretty new to graylog and maybe the question is stupid and the solution is pretty much obvious, but not to me.
So I have set up graylog for sysloging messages from Cisco routers and switches. Tho I have noticed something very strange. The source value in the logs appears in the format “ip:” . Example : 10.15.100.254: and the colon at the end of the IP is driving me crazy because it messes everything up - integration with LibreNMS, searching in the logs, etc . I’ve set up the Cisco devices to use
logging origin-id IP this means that the logging id should be the IP. However even if i change it to a random string there is always the dreaded “:” at the end. I’ve tried removing it with extractors but I guess the source value is hardcoded and can’t be changed. So any input would be appreciated.
Thanks!
Graylog be default support Syslog format based on standard. But cisco is not follow Syslog format standard, so you need to use some extractors or pipeline rules to parse it’s logs.
Check this nice article about it:
I use one workaroud to replace source field using ip of device sending logs from graylog internal field gl2_remote_ip for network devices:
rule “Set Source IP”
when
has_field(“message”)
then
set_field(“source”, to_string($message.gl2_remote_ip));
end
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.