Dear Friend , your suggestions solved my problem , thanks a lot for everythings ! Best Regards Enrico
On Thursday, September 1, 2016 at 9:21:50 AM UTC+2, clikcspeed wrote: > Hello Enrico, > > It looks like the extractor you downloaded is not parsing the Cisco logs > correctly. I would suggest you do the following: > > 1. Create a new input (use raw UDP) and forward Cisco syslog to the > new input. > 2. Send a log to to Graylog (i.e login to the switch, enable, config > t, ctrl-z) > 3. Once you have seen the message structure, create the extractors for > every field in your message > > I have attached an extractor that I created and looks to be parsing the > messages well via raw UDP. You just need to import it once you have created > the new input. See screenshot below: > > > <https://lh3.googleusercontent.com/-oN6CjGy_EYg/V8fWsPMUJtI/AAAAAAAAHpU/fUnVRItJvTMVAkDx-7kgQB8m2eHSBq8YgCLcB/s1600/catalyst.PNG> > > > On Tuesday, August 30, 2016 at 3:28:26 PM UTC+2, Enrico wrote: >> >> Dear All, >> I'm using the version graylog virtual machine for managing all messagges of >> servers and network equipment. >> To log all the hostname names in the messages from cisco equipment I had >> to add an local input named Cisco Catalyst, >> that I've downloaded from market place. >> >> After this installation I noticed that the number of recorded messages has >> increased a lot and the Top Sources is became >> Elasticserach. for example I see a lot of this messages: >> >> >> Timestamp >> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >> source >> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >> >> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >> *2016-08-30 15:25:31.546* elasticsearch >> >> ... 22 more >> *2016-08-30 15:25:31.546* elasticsearch >> >> at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:321) >> *2016-08-30 15:25:31.545* elasticsearch >> >> at >> org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:241) >> *2016-08-30 15:25:31.544* elasticsearch >> >> at >> org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:275) >> *2016-08-30 15:25:31.542* elasticsearch >> >> at >> org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145) >> *2016-08-30 15:25:31.541* elasticsearch >> >> at java.lang.Long.parseLong(Long.java:631) >> *2016-08-30 15:25:31.540* elasticsearch >> >> at java.lang.Long.parseLong(Long.java:589) >> >> >> Does anyone exaplain that behaviour ? How Can I drop these messages ? >> Thanks a lot ! >> Best Regards >> Enrico >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/eff28397-4809-46b5-867c-f5be83b87b35%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
