Same goes for our SRX firewall. Message fields are not parsed and source shows up as the IP address of the device.
<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [[email protected] source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] <14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] On Wednesday, April 30, 2014 1:37:17 AM UTC+2, Wiley Sanders wrote: > > Is V0.20.1 is misparsing Netapp syslog messages? Not really. But the > messages we get from our Netapps look like this: > > <7>Apr 29 15:54:49 [ourfiler: raid.aggr.log.CP.count:debug]: Aggregate > 'aggr0' (uuid = 0x133d8f92-11dc00aa-a000aaa8-f2ea1698, home_owner_id = > 1574357317, home_name = ourfiler): has completed 8894246 CP(s) > > Our v0.20.1 is not getting the source right, it is parsing the source as > "[ourfiler:" (minus the quotes). It looks approximately like this on-screen: > > > > > > 2014-04-29 16:00:02.000 [ourfiler: > [ourfiler: raid.root.unmirrored:error]: Root volume is not mirrored. A > takeover of this filer may not be possible in case of a disaster. Error > [3] kernel > So, it's not getting the "structured data" right, although the stuff in > []'s doesn't appear to be formatted correctly anyway, as per RFC 5424.(it's > actually interpreting the text in []'s as an RFC 3164-compliant hostname.) > I'd much rather have it behave like our ancient 0.9.6p1-RC2 graylog2 that > parses it somehow, and extracts the hostname as the source (although > perhaps not the FQDN of the host it would get from DNS ....) : > > In which terms was this message broken to? > From: ourfiler > Date: 2014-04-29 15:22:42 -0700 > Severity: Debug > Facility: kernel > Full message: > <7>Apr 29 15:22:42 [ourfiler: raid.aggr.log.CP.count:debug]: Aggregate > 'aggr2' (uuid = 0xafd0fcf0-11e097ae-a000ee95-1c961698, home_owner_id = > 1573991171, home_name = ourfiler): has completed 15992585 CP(s). > > Alternatively, I would not mind an option for it to ignore the structured > data (or whatever junk it finds in the RFC 3164 hostname field) and just > use DNS to get the hostname for the source and failing that just use the IP > address. > > Another example is a packet with the unix "logger" command: > > logger -d -n mygraylog2 THIS BE A TEST > > The raw packet received looks like this: > > <5>Apr 29 16:14:17 wsanders: THIS BE A TEST > > v0.20.1 parses the source as "wsanders:", as per the RFC, but any > information about the originating host or IP address is lost. > > One workaround would is to log raw UDP packets. It would not extract the > facility and priority, but you could concoct regular expressions for that. > > It would be better to have an option to override non-compliant data in the > hostname field and use DNS - there are a LOT of non 5424-compliant > "devices" out there over which users have no control over the syslog format > (like Netapps, I guess.) > > If such an option exists and I have overlooked it, let me know! > > Is by chance the originating IP address part of the data stored in > elasticsearch? Or is what I see in the web UI all that is available? > > Thanks in advance -wsanders > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
