Store_full_message: true on Raw/Plaintext UDP

(Jose) #1

I am having problems configurating my inputs.
We have about 800 Cisco switchs and routers. For testing pourposes, I installed the OVA. wich works great except for the specificities of Cisco Syslog message format.

So I followed the recomendations of using the Raw/Plaintext UDP Input, wich works great, except for the little detail that I cannot choose “store_full_message: true” on this type of input, and the users find great the parsing of the messages, but they would like to see the “full_message” field from time to time.

So I went to standard UP input where I can choose the “store_full_message: true” and then show the full message when wanted, but the parsing for Cisco syslog messages do not work great and alot or messages are droped with this input Type.

So I come to you for guidance on what to do?

Many thanks

(Jan Doberstein) #2

You are missing the normalization and extraction of the content.

This way your users did not need to search in the full message because they have all the details.

(Jose) #3

You are right.
Many thanks for answering so fast.
The thing is, I would like to also use the annotation function on Grafana to show the messages by severity, and the only way to show the message with the source is using the full_message field.
So I was wondering if there is a way to activate the “store_full_message: true” on the Raw/Plaintext UDP Input so I can get and give the best experience to my users!
Many thanks again.

(Jan Doberstein) #4

with a RAW input the message field contains the same information than you would have in a syslog message in the full_message_field

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.