Great :) Glad it worked. On Thursday, 1 September 2016 12:05:33 UTC+2, Enrico wrote: > > Dear Friend , > your suggestions solved my problem , thanks a lot for everythings ! > Best Regards > Enrico > > On Thursday, September 1, 2016 at 9:21:50 AM UTC+2, clikcspeed wrote: > >> Hello Enrico, >> >> It looks like the extractor you downloaded is not parsing the Cisco logs >> correctly. I would suggest you do the following: >> >> 1. Create a new input (use raw UDP) and forward Cisco syslog to the >> new input. >> 2. Send a log to to Graylog (i.e login to the switch, enable, config >> t, ctrl-z) >> 3. Once you have seen the message structure, create the extractors >> for every field in your message >> >> I have attached an extractor that I created and looks to be parsing the >> messages well via raw UDP. You just need to import it once you have created >> the new input. See screenshot below: >> >> >> <https://lh3.googleusercontent.com/-oN6CjGy_EYg/V8fWsPMUJtI/AAAAAAAAHpU/fUnVRItJvTMVAkDx-7kgQB8m2eHSBq8YgCLcB/s1600/catalyst.PNG> >> >> >> On Tuesday, August 30, 2016 at 3:28:26 PM UTC+2, Enrico wrote: >>> >>> Dear All, >>> I'm using the version graylog virtual machine for managing all messagges >>> of servers and network equipment. >>> To log all the hostname names in the messages from cisco equipment I >>> had to add an local input named Cisco Catalyst, >>> that I've downloaded from market place. >>> >>> After this installation I noticed that the number of recorded messages has >>> increased a lot and the Top Sources is became >>> Elasticserach. for example I see a lot of this messages: >>> >>> >>> Timestamp >>> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >>> source >>> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >>> >>> <http://10.0.0.60/search?rangetype=keyword&fields=message%2Csource&width=1920&highlightMessage=&keyword=Last+Hour&q=source%3Aelasticsearch#> >>> *2016-08-30 15:25:31.546* elasticsearch >>> >>> ... 22 more >>> *2016-08-30 15:25:31.546* elasticsearch >>> >>> at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:321) >>> *2016-08-30 15:25:31.545* elasticsearch >>> >>> at >>> org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:241) >>> *2016-08-30 15:25:31.544* elasticsearch >>> >>> at >>> org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:275) >>> *2016-08-30 15:25:31.542* elasticsearch >>> >>> at >>> org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145) >>> *2016-08-30 15:25:31.541* elasticsearch >>> >>> at java.lang.Long.parseLong(Long.java:631) >>> *2016-08-30 15:25:31.540* elasticsearch >>> >>> at java.lang.Long.parseLong(Long.java:589) >>> >>> >>> Does anyone exaplain that behaviour ? How Can I drop these messages ? >>> Thanks a lot ! >>> Best Regards >>> Enrico >>> >>
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/40d8e21b-09d8-4028-b728-b3612e82233b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
