Roberto, you will need to have the device(s) send their logs to the new port instead of 10514. That way only the data that needs the extra parsing will be processed by the extractor.
Cisco devices --> 5555 (or whatever) All other Syslog --> 10514 -Pete On Friday, February 27, 2015 at 11:17:25 AM UTC-8, [email protected] wrote: > > Dear Bernd, thanks for your helpful responde....but now I have a new > question. > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port UDP/10514, and the tutorial said I have to create another INPUT "Raw" > suppose listening on port UDP/5555. > > How can I connect the raw input with the syslog input ??? I got lost... > > Thanks in advance, > > Roberto > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> create a "Raw" input and create extractors. >> >> There is a blog post about this here: >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> Hope that helps! >> >> Regards, >> Bernd >> >> On 27 February 2015 at 15:57, <[email protected]> wrote: >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> company. >> > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> that we >> > point several Windows and Linux servers to the Graylog2 with no >> problems. >> > >> > But in the case of the Cisco ASA firewalls, we have a problem because >> the >> > source sometimes matches something like: >> > >> > :%ASA-session-6-302013: >> > >> > In the Cisco ASA's I setup: >> > >> > logging enable >> > logging emblem >> > logging trap informational >> > logging history debugging >> > logging asdm debugging >> > logging device-id hostname >> > logging host inside_Frontend 10.1.1.1 format emblem >> > >> > I want to have the original hostname in the "source" field, so what can >> I >> > do??? >> > >> > Regards, >> > >> > Roberto >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
