I just setup Graylog 4.0 on FreeBSD. To test it I configured a couple of FreeBSD servers to send syslog messages to it. The messages are stored, but they’re not parsed corretly.
For example, the source field is haproxy[123] (Application name and pid).
If I configure syslogd to use RFC 5424 it’s parsed correctly, but we have different monitoring systems parsing the logs so changing the format is not easy.
I’m guessing something is causing graylog to parse the message as RFC 5424 even though it’s in RFC 3164 format. An example of a log line is:
I’ve tried your input using nc and works as expected, source was parsed correctly to Syslog UDP input: echo -n '<13>May 19 21:45:12 stg myapp[88834]: Hello, World 21:45' | nc -u 172.28.128.15 1515
Or Syslog TCP: echo '<13>May 19 21:45:12 stg myapp[88834]: Hello, World 21:45' | nc 172.28.128.15 1516
Please post which type of input do you use? Syslog TCP or Syslog UDP input? Do you create some extractors or pipeline rules, which should modify parsing?
Try enable Store full message? in input to show full message in field full_message
FreeBSD developers have decided that syslogd RFC 3164 compliance has been broken for so long, that they’re afraid to change it now. The workaround is enabling RFC 5424.
