Hello,
I'm testing Graylog v1.0-rc.3 and having troubles with it.
I have multiple servers, but right now I'm just testing syslog from single
pfSense router.
It look like this:
pfSense syslog -> SYSLOG VM
In the SYSLOG VM there are:
rsyslog ----@localhost:5144 ----> graylog2-server
So in this single machine I had:
- rsyslog
- elasticsearch
- graylog2-server
- graylog2-web
In rsyslog.conf I have:
$template
RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
$template GRAYLOGRFC5424A,"<%PRI%>%PROTOCOL-VERSION%
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
%STRUCTURED-DATA% %msg%n"
*.* ?RemoteHost;TraditionalRFC3164
*.* @localhost:5144:GRAYLOGRFC5424A
In the graylog2-server I have SYSLOG UDP Input.
I have been thinking for some time that everything is working, because I
had messages, had proper source etc.
I've created GROK filters inside graylog2 (I've posted it because maybe it
would be useful for someone):
if openvpn: (%{HOSTNAME:host}) (%{SYSLOGPROG:program}):
(%{WORD:username}/%{IP:ip}:%{POSINT:port}) (?<VPNINFO>.*)
if filterlog: %{HOSTNAME:host} %{SYSLOGPROG:program}:
(%{NUMBER:evtid}),(%{NUMBER:timestamp}),,(%{NUMBER:regula}),(?<iface>.*?),(?<match>match|nomatch),(?<action>pass|block),(?<direction>in|out),(?<ip_version>4|6),(.*?),(.*?),(?<proto>(?i)UDP|TCP|ICMP|IGMP|IGMPv6|IGMPv6),(.*?),(.*?),(?<src_ip>.*?),(?<dst_ip>.*?),(?<src_port>(\d*)|request),(?<dst_port>(\d*))
if filterlog: %{HOSTNAME:host} %{SYSLOGPROG:program}: .* \[
(%{NUMBER:evtid}),(%{NUMBER:timestamp}),,(%{NUMBER:regula}),(?<iface>.*?),(?<match>match|nomatch),(?<action>pass|block),(?<direction>in|out),(?<ip_version>4|6),(.*?),(.*?),(?<proto>(?i)UDP|TCP|ICMP|IGMP|IGMPv6|IGMPv6),(.*?),(.*?),(?<src_ip>.*?),(?<dst_ip>.*?),(?<src_port>(\d*)|request),(?<dst_port>(\d*))
if filterlog: %{HOSTNAME:host} %{SYSLOGPROG:program}:
(%{NUMBER:evtid}),(%{NUMBER:timestamp}),,(%{NUMBER:regula}),(?<iface>.*?),(?<match>match|nomatch),(?<action>pass|block),(?<direction>in|out),(?<ip_version>4|6),(.*?),(.*?),(.*?),((?<proto>(?i)UDP|TCP|ICMP|IGMP|IGMPv6|IGMPv6)|(.*?)),(.*?),(.*?),(?<src_ip>.*?),(?<dst_ip>.*?),(?<msg>.*)
if DHCPINFO: (%{HOSTNAME:host}) (%{SYSLOGPROG:program}): (?<ACTION>.*?)
(.*?) (?<dst_ip>.*?) (.*?) (?<iface>.*)
if DHCPACK: (%{HOSTNAME:host}) (%{SYSLOGPROG:program}): (?<ACTION>.*?)
(.*?) (?<dst_ip>.*?) (.*?) %{COMMONMAC:mac} (.*?) (?<iface>.*)
if filterlog: %{HOSTNAME:host} %{SYSLOGPROG:program}:
(%{NUMBER:evtid}),(%{NUMBER:timestamp}),,(%{NUMBER:regula}),(?<iface>.*?),(?<match>match|nomatch),(?<action>pass|block),(?<direction>in|out),(?<ip_version>4|6),(.*?),(.*?),(?<proto>(?i)UDP|TCP|ICMP|IGMP|IGMPv6|ICMPv6),(.*?),(.*?),(?<src_ip>.*?),(?<dst_ip>.*?),
if dhcpd: (%{HOSTNAME:host}) (%{SYSLOGPROG:program}): (?<msg>.*)
%{HOSTNAME:host} %{SYSLOGPROG:program}: (?<msg>.*)
And for DHCPD I've got everything (at least I haven't noticed something
missing), but for firewall/filterlog I've got maybe 10% of messages in
graylog2.
I'm saving logs also to file so I can easily say what I'm missing :/
Unfortunately also, if filterlog message get through to graylog2 it isn't
extract by grok filter (statistic of filters doesn't show any errors)
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
