So, I tried setting up a Syslog UDP to get the Watchguard Logs - sent in Syslog format. No good - the Input showed messages coming in - but nothing showed in search.
I found the All In One Watchguard content pack and installed it. Nice dashboards, input shows messages coming in, it has extractors - but nothing shows up in search, nor in the dashboards.
My system: Graylog 4.0.1+6a0cc0b on Red Hat, Inc. 1.8.0_275 on Linux 4.18.0-240.1.1.el8_3.x86_64
Watchguard is on the same subnet, rules applied, and, according to the input, getting to the server.
Well, It seems they just started showing up. Took maybe 30 minutes - I saw the entries from the watchguard - and I searched again and they were gone. Not sure how/why they showed up for that brief moment - but that tells me that they are in there somewhere…
How to get the to show up consistently?!?
I think I can see them if I put the Source name ( “MyWatchguardName” ) as the search term.
I mean, I can - at least once.
… Looking further, the Firewall logs show in a burst - and then other logs push them down in the logs…
…and now they are showing up… … weird. I’ll leave this here instead of deleting -
Still welcome any tips and tricks other than “Be patient, it takes a while”
Probably problem with timestamps. If there is time and date in message, compare with timestamp field saved by graylog. If timestamps is saved in the future, you will see them also in future, not immediately.
Please post example of full message, and timestamp.
