Problem with syslog formating

TheWalrus · July 8, 2024, 5:32pm

Hi, I’m currently running Graylog 6.0 and receiving logs from Cisco switches, through a syslog UDP input. The logs follow this format:

<189>124087: Jul 8 2024 10:58:43.417 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

It mostly manages to extract the fields correctly, however it sets the source as the milliseconds of the timestamp (417 in the above example).

The only pipeline I have running is one to get the string representation of the severity. I’m really struggling to find a way to make it work, so I would greatly appreciate any pointers. Thanks!

frantz · July 15, 2024, 2:15pm

Syslog format is:

<priority><timestamp> <hostname> <processus>:<message>

So it’s normal the syslog parser doesn’t work with your logs.
If you can’t change the format of the log I would recommend to create extractors and/or pipelines to extract fields.

system · July 29, 2024, 2:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog2 and rsyslog Graylog Central (peer support)	2	421	February 12, 2024
Issue with Syslog input UDP Graylog Central (peer support)	3	615	November 1, 2019
Graylog Source-field configuration error? Graylog Central (peer support)	2	926	January 31, 2018
Syslog from Ubiquiti EdgeRouter Graylog Central (peer support)	3	6653	November 14, 2019
Cisco (not only) formatting Graylog Central (peer support)	5	1545	June 2, 2017

Problem with syslog formating

Related topics