First post here so: hi all! I have a running 0.11.0 server and web interface that I wanted to migrate to the new and awesome 0.20. The install went perfectly fine and the system was up and running in no time. The problem I'm having is that the field extraction seems broken. Devices that worked automagically in 0.11 no longer work correctly anymore. I have tried both syslog-udp and raw-udp, but in both cases the only field that is extracted is source. 2 messages that do not work:
<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY > [[email protected] source-address="1.2.3.4" source-port="56639" > destination-address="5.6.7.8" destination-port="2003" service-name="None" > protocol-id="6" icmp-type="0" policy-name="log-all-else" > source-zone-name="campus" destination-zone-name="mngmt" > application="UNKNOWN" nested-application="UNKNOWN" username="N/A" > roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] <14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE > [[email protected] reason="unset" source-address="1.2.3.4" > source-port="63456" destination-address="5.6.7.8" destination-port="902" > service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" > nat-destination-address="5.6.7.8" nat-destination-port="902" > src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" > policy-name="mngmt-to-vcenter" source-zone-name="mngmt" > destination-zone-name="intra" session-id-32="15353" packets-from-client="1" > bytes-from-client="94" packets-from-server="0" bytes-from-server="0" > elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" > username="N/A" roles="N/A" packet-incoming-interface="reth3.5" > encrypted="No "] Source is a juniper SRX 240, and as said it worked fine in 0.11. Any idea why this is no longer working and what I can do (except manually setting up extractors)? -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
