Hi,
I have some problems in Cisco Catalyst 15.x series and graylog2 logging.
I'd like to share my solution to you.
Here is Catalyst config:
non-VRF sw:
no logging message-counter syslog
logging trap informational
logging origin-id hostname
logging facility syslog
logging host <ip-address> transport udp port 1514
VRF-aware sw:
logging trap notifications
logging origin-id hostname
logging facility syslog
logging source-interface <interface> vrf <vrf-name>
logging host <ip-address> vrf ateaone transport udp port 1514
Now you need to create Raw/Plaintext UDP input for eg. port 1514 and
import new extractor. Extractor is quite same that found in graylog2 web
site,
but i have take off some regexes.
{
"extractors": [
{
"condition_type": "none",
"condition_value": "",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": ">: (.+?):"
},
"extractor_type": "regex",
"order": 2,
"source_field": "message",
"target_field": "source",
"title": "Source"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "syslog_pri_facility"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "^<(\\d.+)>"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "facility",
"title": "Facility"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "syslog_pri_level"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "^<(\\d.+)>"
},
"extractor_type": "regex",
"order": 1,
"source_field": "message",
"target_field": "level",
"title": "Level"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "lowercase"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "%.+-\\d+-.+: (.*)$"
},
"extractor_type": "regex",
"order": 6,
"source_field": "message",
"target_field": "message",
"title": "Message"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "lowercase"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "%.+-\\d-(.+?):"
},
"extractor_type": "regex",
"order": 5,
"source_field": "message",
"target_field": "mnemonic",
"title": "Mnemonic"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "lowercase"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "%(.+?)-"
},
"extractor_type": "regex",
"order": 3,
"source_field": "message",
"target_field": "local_facility",
"title": "Local facility"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "%.+-(\\d?)-"
},
"extractor_type": "regex",
"order": 4,
"source_field": "message",
"target_field": "local_level",
"title": "Local level"
}
],
"version": "0.91.3"
}
Br,
Ville Leinonen
http://www.hacknetwork.org/
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
