Hi Robert, maybe the content packs from the Graylog Marketplace don't capture all message variants emitted by these Cisco devices. In this case, please open an issue with the authors of those content packs on GitHub.
Cheers, Jochen On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: > > I guess I'm confused. Both the custom input and the extractor from the > marketplace are configured as Raw/Plaintext UDP under System/Inputs. What > else am I missing? > > > Robert > > On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda wrote: >> >> Hi Robert, >> >> as I said, Cisco appliances aren't sending proper syslog messages. Please >> use Raw/Plaintext input instead of a Syslog input and use extractors to >> transform those messages accordingly. >> >> Cheers, >> Jochen >> >> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>> >>> The only extractor in there for Cisco is Catalyst and ASA, both of which >>> I am running. Any other ideas? >>> >>> Robert >>> >>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda wrote: >>>> >>>> Hi Robert, >>>> >>>> Cisco appliances don't send valid syslog messages. Please take a look >>>> at the extractors functionality in Graylog: >>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>> >>>>> I've installed two variations of Cisco extractors on Graylog2 (one >>>>> from marketplace and other from random blog I found). The Source IP >>>>> displays correctly, but it seems not all of the actual syslog message is >>>>> displayed. >>>>> >>>>> Example: >>>>> I see this in Graylog >>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>> >>>>> But it should be this >>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>> >>>>> Is there anything I can tweak to overcome this issue? Thanks for any >>>>> help. >>>>> >>>>> Robert >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ada8c059-6011-4917-b8c6-9fa05f8f2469%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
