Hello Enrico,
It looks like the extractor you downloaded is not parsing the Cisco logs
correctly. I would suggest you do the following:
1. Create a new input (use raw UDP) and forward Cisco syslog to the new
input.
2. Send a log to to Graylog (i.e login to the switch, enable, config t,
ctrl-z)
3. Once you have seen the message structure, create the extractors for
every field in your message
I have attached an extractor that I created and looks to be parsing the
messages well via raw UDP. You just need to import it once you have created
the new input. See screenshot below:
<https://lh3.googleusercontent.com/-oN6CjGy_EYg/V8fWsPMUJtI/AAAAAAAAHpU/fUnVRItJvTMVAkDx-7kgQB8m2eHSBq8YgCLcB/s1600/catalyst.PNG>
On Tuesday, August 30, 2016 at 3:28:26 PM UTC+2, Enrico wrote:
>
> Dear All,
> I'm using the version graylog virtual machine for managing all messagges of
> servers and network equipment.
> To log all the hostname names in the messages from cisco equipment I had
> to add an local input named Cisco Catalyst,
> that I've downloaded from market place.
>
> After this installation I noticed that the number of recorded messages has
> increased a lot and the Top Sources is became
> Elasticserach. for example I see a lot of this messages:
>
>
> Timestamp
> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#>
> source
> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#>
>
> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#>
> *2016-08-30 15:25:31.546* elasticsearch
>
> ... 22 more
> *2016-08-30 15:25:31.546* elasticsearch
>
> at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:321)
> *2016-08-30 15:25:31.545* elasticsearch
>
> at
> org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:241)
> *2016-08-30 15:25:31.544* elasticsearch
>
> at
> org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:275)
> *2016-08-30 15:25:31.542* elasticsearch
>
> at
> org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145)
> *2016-08-30 15:25:31.541* elasticsearch
>
> at java.lang.Long.parseLong(Long.java:631)
> *2016-08-30 15:25:31.540* elasticsearch
>
> at java.lang.Long.parseLong(Long.java:589)
>
>
> Does anyone exaplain that behaviour ? How Can I drop these messages ?
> Thanks a lot !
> Best Regards
> Enrico
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/fd550208-01f1-4578-8da0-8fbfc8778d81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
{
"extractors": [
{
"title": "cisco_username",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_username",
"extractor_config": {
"regex_value": "User:([^\\s]+)"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_logged_command",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_logged_command",
"extractor_config": {
"regex_value": "command:(.*)"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_syslog_severity",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_syslog_severity",
"extractor_config": {
"regex_value": "-(\\d)-"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_syslog_facility",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_syslog_facility",
"extractor_config": {
"regex_value": "%(.+?)-"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_syslog_message",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_syslog_message",
"extractor_config": {
"regex_value": "%.+?:(.*)"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_syslog_mnemonic",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_syslog_mnemonic",
"extractor_config": {
"regex_value": "\\d-(.+?):"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "cisco_syslog_hostname",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "cisco_syslog_hostname",
"extractor_config": {
"regex_value": ":\\s(.*?):"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "2.0.0-SNAPSHOT"
}
