Source field identification shows unknown, only Mikrotik

(Anderson Junior) #1

I am using graylog in version 3, before I had a virtual machine that I downloaded straight from the graylog site and it worked normal, now in version 3 the source field is only unknown, I tried to use the extractor and it works fine, but since I have more routers mikrotik are all appearing as if it were one, I did not want to set up an input for each mikrotik with different ports, because I want to monitor many.


ps: I’m using google translator …

(Konrad Merz) #2

What kind of Input do you use and how did you configure it?

It kind of reads, that you were upgrading to 3.0, but I could have misunderstood. If thought, did you change something on your config?

(Anderson Junior) #3

Thanks for the quick response…

The input looks like this:

I did not upgrade to version 3, before I had to study and test a virtual machine with version 2.5, I downloaded it here

version 3 I installed on a physical machine, which is the one I’m currently using.


(Jan Doberstein) #4

@andersonsc10 only a short question - are you are ware that 3.0 is a beta release. That it is not (yet) ready for production and only available for testing?

It looks like the Syslog Messages from (your) microtik are not Syslog messages that follow the RFC. I personally would recommend that you create a RAW/Plaintext input on the same port just to receive the complete message and check how they arrive in Graylog.

After that had happened. It might be that you discovered a BUG in the Beta Version and it would be very nice if you open a bug report or you need to parse the messages with processing pipelines or extractors to have the submitted information seperated.

(Anderson Junior) #5

Yes, I know beta yet, I like to test …

Okay, I did the raw input type setting as you suggested, it follows an image, I do not know how to view the complete message …


(Tess) #6

You will not have to. One input can discern between different sources just fine.

From your screenshot, it looks like Graylog3 is unable to auto-fill the Source field, which it usually does based on the source IP of the incoming message. Correct me if I’m wrong @Jan.