I am using graylog in version 3, before I had a virtual machine that I downloaded straight from the graylog site and it worked normal, now in version 3 the source field is only unknown, I tried to use the extractor and it works fine, but since I have more routers mikrotik are all appearing as if it were one, I did not want to set up an input for each mikrotik with different ports, because I want to monitor many.
Att.
ps: I’m using google translator …
What kind of Input do you use and how did you configure it?
It kind of reads, that you were upgrading to 3.0, but I could have misunderstood. If thought, did you change something on your config?
Thanks for the quick response…
The input looks like this:
I did not upgrade to version 3, before I had to study and test a virtual machine with version 2.5, I downloaded it here http://docs.graylog.org/en/2.5/pages/installation/virtual_machine_appliances.html
version 3 I installed on a physical machine, which is the one I’m currently using.
Att
@andersonsc10 only a short question - are you are ware that 3.0 is a beta release. That it is not (yet) ready for production and only available for testing?
It looks like the Syslog Messages from (your) microtik are not Syslog messages that follow the RFC. I personally would recommend that you create a RAW/Plaintext input on the same port just to receive the complete message and check how they arrive in Graylog.
After that had happened. It might be that you discovered a BUG in the Beta Version and it would be very nice if you open a bug report or you need to parse the messages with processing pipelines or extractors to have the submitted information seperated.
Yes, I know beta yet, I like to test …
Okay, I did the raw input type setting as you suggested, it follows an image, I do not know how to view the complete message …
Att.
You will not have to. One input can discern between different sources just fine.
From your screenshot, it looks like Graylog3 is unable to auto-fill the Source field, which it usually does based on the source IP of the incoming message. Correct me if I’m wrong @Jan.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
