Is V0.20.1 is misparsing Netapp syslog messages? Not really. But the messages we get from our Netapps look like this:
<7>Apr 29 15:54:49 [ourfiler: raid.aggr.log.CP.count:debug]: Aggregate 'aggr0' (uuid = 0x133d8f92-11dc00aa-a000aaa8-f2ea1698, home_owner_id = 1574357317, home_name = ourfiler): has completed 8894246 CP(s) Our v0.20.1 is not getting the source right, it is parsing the source as "[ourfiler:" (minus the quotes). It looks approximately like this on-screen: 2014-04-29 16:00:02.000 [ourfiler: [ourfiler: raid.root.unmirrored:error]: Root volume is not mirrored. A takeover of this filer may not be possible in case of a disaster. Error [3] kernel So, it's not getting the "structured data" right, although the stuff in []'s doesn't appear to be formatted correctly anyway, as per RFC 5424.(it's actually interpreting the text in []'s as an RFC 3164-compliant hostname.) I'd much rather have it behave like our ancient 0.9.6p1-RC2 graylog2 that parses it somehow, and extracts the hostname as the source (although perhaps not the FQDN of the host it would get from DNS ....) : In which terms was this message broken to? From: ourfiler Date: 2014-04-29 15:22:42 -0700 Severity: Debug Facility: kernel Full message: <7>Apr 29 15:22:42 [ourfiler: raid.aggr.log.CP.count:debug]: Aggregate 'aggr2' (uuid = 0xafd0fcf0-11e097ae-a000ee95-1c961698, home_owner_id = 1573991171, home_name = ourfiler): has completed 15992585 CP(s). Alternatively, I would not mind an option for it to ignore the structured data (or whatever junk it finds in the RFC 3164 hostname field) and just use DNS to get the hostname for the source and failing that just use the IP address. Another example is a packet with the unix "logger" command: logger -d -n mygraylog2 THIS BE A TEST The raw packet received looks like this: <5>Apr 29 16:14:17 wsanders: THIS BE A TEST v0.20.1 parses the source as "wsanders:", as per the RFC, but any information about the originating host or IP address is lost. One workaround would is to log raw UDP packets. It would not extract the facility and priority, but you could concoct regular expressions for that. It would be better to have an option to override non-compliant data in the hostname field and use DNS - there are a LOT of non 5424-compliant "devices" out there over which users have no control over the syslog format (like Netapps, I guess.) If such an option exists and I have overlooked it, let me know! Is by chance the originating IP address part of the data stored in elasticsearch? Or is what I see in the web UI all that is available? Thanks in advance -wsanders -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
