Syslog messages from FreeBSD not parsed correctly

I just setup Graylog 4.0 on FreeBSD. To test it I configured a couple of FreeBSD servers to send syslog messages to it. The messages are stored, but they’re not parsed corretly.
For example, the source field is haproxy[123] (Application name and pid).

If I configure syslogd to use RFC 5424 it’s parsed correctly, but we have different monitoring systems parsing the logs so changing the format is not easy.

I’m guessing something is causing graylog to parse the message as RFC 5424 even though it’s in RFC 3164 format. An example of a log line is:

May 19 21:45:12 stg myapp[88834]: Hello, World

In graylog it looks like:

What is the simplest way of getting graylog to correctly parse this message, without too drastic changes to the log format on the sending host?

Hi @einsibjani

I’ve tried your input using nc and works as expected, source was parsed correctly to Syslog UDP input:
echo -n '<13>May 19 21:45:12 stg myapp[88834]: Hello, World 21:45' | nc -u 1515
Or Syslog TCP:
echo '<13>May 19 21:45:12 stg myapp[88834]: Hello, World 21:45' | nc 1516

Please post which type of input do you use? Syslog TCP or Syslog UDP input? Do you create some extractors or pipeline rules, which should modify parsing?

Try enable Store full message? in input to show full message in field full_message

Thanks for your help, but we’ve decided to bite the bullet and configure syslogd to use RFC 5424.

If you’re interested, an example of a full_message is:

<13>May 20 11:27:55 myapp[97386]: Hello, World

So syslogd isn’t sending the hostname…

Just in case someone stumbles upon this post looking for a solution, the problem is known with FreeBSD syslogd

FreeBSD developers have decided that syslogd RFC 3164 compliance has been broken for so long, that they’re afraid to change it now. The workaround is enabling RFC 5424.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.