Hi! I'm adding this to a bug report so we can improve the parsing of the messages. See https://github.com/Graylog2/graylog2-server/issues/549
I suspect that the way we use the syslog library changed in a subtle way. For now the only viable way is to use extractors, I'm afraid. Thank you for your report! On Thu, May 1, 2014 at 9:03 AM, Rogier Gerritse <[email protected]> wrote: > First post here so: hi all! I have a running 0.11.0 server and web interface > that I wanted to migrate to the new and awesome 0.20. The install went > perfectly fine and the system was up and running in no time. The problem I'm > having is that the field extraction seems broken. Devices that worked > automagically in 0.11 no longer work correctly anymore. I have tried both > syslog-udp and raw-udp, but in both cases the only field that is extracted > is source. 2 messages that do not work: > >> <14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY >> [[email protected] source-address="1.2.3.4" source-port="56639" >> destination-address="5.6.7.8" destination-port="2003" service-name="None" >> protocol-id="6" icmp-type="0" policy-name="log-all-else" >> source-zone-name="campus" destination-zone-name="mngmt" >> application="UNKNOWN" nested-application="UNKNOWN" username="N/A" >> roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] > > >> <14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE >> [[email protected] reason="unset" source-address="1.2.3.4" >> source-port="63456" destination-address="5.6.7.8" destination-port="902" >> service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" >> nat-destination-address="5.6.7.8" nat-destination-port="902" >> src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" >> policy-name="mngmt-to-vcenter" source-zone-name="mngmt" >> destination-zone-name="intra" session-id-32="15353" packets-from-client="1" >> bytes-from-client="94" packets-from-server="0" bytes-from-server="0" >> elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" >> username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No >> "] > > > Source is a juniper SRX 240, and as said it worked fine in 0.11. Any idea > why this is no longer working and what I can do (except manually setting up > extractors)? > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
