Source = :[ cisco syslog, any good way of fixing this?

We are currently trying to get a better understanding of a older network running some cisco services which generate a lot of broadcast traffic / multi cast traffic etc.
The traffic is expected but after an upgrade, we have noticed that 17 of the cisco 3850 switches are experiences a bit more broadcast than expected.
I am therefor trying to get a better understanding of the situation but have run into a bit of a interesting situation, which i am not 100% how to deal with.

when graylog recieves the log, all syslog entries regarding the broadcast storm is maked as “:[” under source, I guessing its because the actual login line on the switch looks like this, without any src specification besides the Te1/1/4 etc.

001838: Jun 9 14:01:51.615: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/4. A packet filter action has been applied on the interface.
001839: Jun 9 14:02:00.004: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/3. A packet filter action has been applied on the interface.
001840: Jun 9 14:03:02.927: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/3. A packet filter action has been applied on the interface.
001841: Jun 9 14:03:54.315: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/4. A packet filter action has been applied on the interface.
001842: Jun 9 14:04:05.865: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/3. A packet filter action has been applied on the interface.
001843: Jun 9 14:04:12.135: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/4. A packet filter action has been applied on the interface.
001844: Jun 9 14:04:54.075: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/1/4. A packet filter action has been applied on the interface.

Is there any src inforamtion that can be used to tag the package in a manner so I can specific the src address of the switch, taken from the IP header(encapsulation part of the udp) Or something similar to this?

I hope the questions isn’t to scattered.

All the best
ketil

Hi @ketil
it’s because Cisco don’t follow syslog protocol standard. So better way is to use Raw Syslog input and use custom extractors or pipeline rules to extract data to own fields.

If you only want to fix source field, so it contains ip of switch, use this simple pipeline rule which replace source field using ip of device sending logs from graylog internal field gl2_remote_ip.

rule "Set Source IP"
when
has_field("message")
then
set_field("source", to_string($message.gl2_remote_ip));
end

PS: If you want to change only for cisco switches, add another condition to when clause

2 Likes

Thanks, We now have exactly what we where looking for and data is slowly being sucked up and showing in a manner which will make sense over time :slight_smile:
have a great day and thanks for the help.

1 Like