Syslog without timestamp

I have two types of switches sending logs to my Graylog version 6.0 server, they are DM2104 and DM4370.
I tested with tcpdump and I receive logs from both on the server, but Graylog cannot process the DM2104 logs.
When comparing the equipment logs, I identified that the DM2104 does not send the timestamp, is there any way to get around this?

DM2104:
15:30:39.018909 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 83)
10.183.255.30.syslog > 10.211.0.97.syslog: [udp sum ok] SYSLOG, length: 55
Facility local0 (16), Severity notice (5)
Msg: : <5> User **** authenticated by tacacs^J

DM4370:
15:34:04.559373 IP (tos 0x0, ttl 58, id 26613, offset 0, flags [DF], proto UDP (17), length 209)
10.183.255.21.49040 > 10.211.0.97.syslog: [udp sum ok] SYSLOG, length: 181
Facility local0 (16), Severity info (6)
Msg: Oct 21 15:34:04 RIOS-ANEL2-2023470641 : 1/1 : %AAA-REMOTE_AUTHENTICATION_SUCCESS : authenticator-app[6775] : User [****]: User authenticated by Tacacs server.^J

Error in /var/log/graylog-server/server.log:

ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=ad331910-8fe3-11ef-949c-bc2411f03e5a, messageQueueId=360977, codec=syslog, payloadSize=83, timestamp=2024-10-21T19:35:49.793Z, seqenceNr=108, remoteAddress=/10.183.255.30:514} on input <670427a812e6655b1e346bc1>.

Difficult one, could be on the UDP level, is it possible to switch to SYSLOG TCP?

Other options: Increase the Receive Buffer Size on the input.

Graylog is able parse RFC 5424 and RFC 3164 compliant syslog messages.

Your messages dont look like RFC5424 neither RFC3164 for me.

I would recommend to deliver it via a RAW input and then normalize it manually with rules and pipelines or adjust your log message to the RFC for syslog
Syslog Inputs

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.