Will do, thanks. Robert
On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda wrote: > > Hi Robert, > > maybe the content packs from the Graylog Marketplace don't capture all > message variants emitted by these Cisco devices. In this case, please open > an issue with the authors of those content packs on GitHub. > > Cheers, > Jochen > > On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >> >> I guess I'm confused. Both the custom input and the extractor from the >> marketplace are configured as Raw/Plaintext UDP under System/Inputs. What >> else am I missing? >> >> >> Robert >> >> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda wrote: >>> >>> Hi Robert, >>> >>> as I said, Cisco appliances aren't sending proper syslog messages. >>> Please use Raw/Plaintext input instead of a Syslog input and use extractors >>> to transform those messages accordingly. >>> >>> Cheers, >>> Jochen >>> >>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>> >>>> The only extractor in there for Cisco is Catalyst and ASA, both of >>>> which I am running. Any other ideas? >>>> >>>> Robert >>>> >>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda wrote: >>>>> >>>>> Hi Robert, >>>>> >>>>> Cisco appliances don't send valid syslog messages. Please take a look >>>>> at the extractors functionality in Graylog: >>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>> >>>>> Cheers, >>>>> Jochen >>>>> >>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>> >>>>>> I've installed two variations of Cisco extractors on Graylog2 (one >>>>>> from marketplace and other from random blog I found). The Source IP >>>>>> displays correctly, but it seems not all of the actual syslog message is >>>>>> displayed. >>>>>> >>>>>> Example: >>>>>> I see this in Graylog >>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>> >>>>>> But it should be this >>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>> >>>>>> Is there anything I can tweak to overcome this issue? Thanks for any >>>>>> help. >>>>>> >>>>>> Robert >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9e62d04c-9021-44da-98c9-d9a1b82eac70%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
