Please , in the case of switch Logs meesage , how can i see the log source with the name of Switch not his address IP !!
graylog overwrite the source if the hostname not recognizeable from the message.
check the log format eg with tcpdump.
you could use a lookup table with DNS or a static lookup file to overwrite the source from IP to hostname - depending on your environment.
I already looked for but the same issue name of switch log is his adress IP not his name , it is a switch cisco
@macko003 I did not understand well what you said the log message does not contain the switch name. it is a switch cisco…
you might get some help from this blog:
okay , thanks @jan I’ll look but i work on Switch Cisco not a firewall ASA…i can receive the logs of switch, i want the source name appear with the Name of my switch not his IP address
You are able to lookup the hostname via DNS? use the DNS Lookup Table on the source field to make that happen.
You are not able to lookup the hostname via DNS? use a CSV File lookup on the source field.
You can configure your switches to send the messages with their hostname and not the ip? Do that if possible.
@jan effectively, i would know how to configure my switch cisco to send the messages with their hostname and not the ip, I already looked for in cisco community blog, I did not find a clear answer
Please can someone help me i would know how to configure my switch cisco to send the messages Logs with their hostname and not the ip to the graylog interface
how about asking in some kind of cisco community - or use your cisco support contract to ask?
If you make sure the IP is broken out to a field you can work with, you can write a pipeline rule that uses a DNS adaptor/lookup table to convert it to hostname. It will take some thinking through and testing but all the pieces parts are in the previous replies…
sorry @tmacgbay , your answer is not clear . i like get the log source with the name of Switch not his address IP …is the problem in Configuring the switch ?? the name does not appear in the interface of Graylog
If you can change it at the switch source, great! Otherwise if you want to convert it in Graylog…
- NOTE: For this to work your Message Filter Chain has to be before your Pipeline Processor in “Configurations”
- Use an extractor on the input to seperate out the IP http://docs.graylog.org/en/3.0/pages/extractors.html
- Use a pipeline to execute changing the IP to a name http://docs.graylog.org/en/3.0/pages/pipelines/pipelines.html
– in the pipeline rule you will use a DNS Lookup table http://docs.graylog.org/en/3.0/pages/lookuptables.html
Read through the Graylog documentation and google for examples on the web. If you still can’t get it to work consider buying Graylog support (or support for your switch) - they would be happy to help create what you are looking for.
hi @tmacgbay , I redid the installation of graylog 2.5 , the switch is well configured. how to " receive " logs of switch ( receive not send) i configured the repostory rsyslog.conf
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.