Hey, everybody!
I faced a problem with parsing logs from Zyxel USG FLEX. Logs arrive on 5555, as you can see from TCPdump capture, but after that they disappear and are not written to graylog. From searches I realized that logs from USG FLEX has a non-standard form because of the prefix and may not be processed by input. The view is as follows:
E..D.Y@.@… …0..<149>May 5 19:23:11 2025 Posmail-1 src=“172.16.122.41:50327” dst="54.89.66. 62:22322“ msg=”Match default rule, DROP“ note=”ACCESS BLOCK“ user=”unknown“ devID=”fc22f4e9b053“ cat=”Security Policy Control“ class=”Access Control“ ob=”0“ ob_mac=”000000000000“ dir=”ANY:ANY“ protoID=6 proto=”others”
I tried different inputs, namely SYSLOG UDP, Raw/Plaintext UDP. SYSLOG may not be recorded because of the prefix, but I don’t understand why Raw/Plaintext UDP input doesn’t work. I tried to make stream with pipe to remove the prefix, in simulation it removes everything normally, but since logs are not written even in input, I understand that there is no processing. There are no problems with other logs and everything works fine. Could you please tell me how to solve this? Thank you in advance
Ubuntu 22.04, graylog 6.1. There are no errors in the server logs.
