I am wondering about the field “application_name”, that I have neither configured or created. It is filled with some input in some cases, that I do not understand. For me it seems, as if it is generated/filled by something like a graylog integrated feature. Is there a way to disable the processing for this field? Where can it be configured/adjusted or where do I find some more information about it?
It’s very obvious. If you use Syslog Input (TCP/UDP), graylog follows syslog standard and extract field application_name from syslog message send by device.
There are 2 standards for Syslog protocol: Older RFC3164 and newer RFC5424.
Check some article about syslog:
If you don’t want to parse syslog messages at all, create Raw Input, which will store exact message as received. If you want to use another field as application_name (as some devices like cisco doesn’t follow syslog standard), create extractor or use pipeline rule to fix it.