Hi Robert, as I said, Cisco appliances aren't sending proper syslog messages. Please use Raw/Plaintext input instead of a Syslog input and use extractors to transform those messages accordingly.
Cheers, Jochen On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: > > The only extractor in there for Cisco is Catalyst and ASA, both of which I > am running. Any other ideas? > > Robert > > On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda wrote: >> >> Hi Robert, >> >> Cisco appliances don't send valid syslog messages. Please take a look at >> the extractors functionality in Graylog: >> http://docs.graylog.org/en/2.0/pages/extractors.html >> >> Cheers, >> Jochen >> >> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>> >>> I've installed two variations of Cisco extractors on Graylog2 (one from >>> marketplace and other from random blog I found). The Source IP displays >>> correctly, but it seems not all of the actual syslog message is displayed. >>> >>> Example: >>> I see this in Graylog >>> 22] at 09:36:18 CDT Wed May 25 2016 >>> >>> But it should be this >>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>> >>> Is there anything I can tweak to overcome this issue? Thanks for any >>> help. >>> >>> Robert >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5ba8cef1-65dc-4dc4-932d-cdb5ab7fdc4e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
