Robert - were you ever able to get this fixed? Would you be willing to let me know how far you go and exactly what you did in graylog - there are two asa extractors in the marketplace - which one did you use? Thanks in advance for any info.
On Wednesday, May 25, 2016 at 12:27:14 PM UTC-4, Robert Craig wrote: > > Will do, thanks. > > Robert > > On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda wrote: >> >> Hi Robert, >> >> maybe the content packs from the Graylog Marketplace don't capture all >> message variants emitted by these Cisco devices. In this case, please open >> an issue with the authors of those content packs on GitHub. >> >> Cheers, >> Jochen >> >> On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >>> >>> I guess I'm confused. Both the custom input and the extractor from the >>> marketplace are configured as Raw/Plaintext UDP under System/Inputs. What >>> else am I missing? >>> >>> >>> Robert >>> >>> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda wrote: >>>> >>>> Hi Robert, >>>> >>>> as I said, Cisco appliances aren't sending proper syslog messages. >>>> Please use Raw/Plaintext input instead of a Syslog input and use >>>> extractors >>>> to transform those messages accordingly. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>>> >>>>> The only extractor in there for Cisco is Catalyst and ASA, both of >>>>> which I am running. Any other ideas? >>>>> >>>>> Robert >>>>> >>>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Robert, >>>>>> >>>>>> Cisco appliances don't send valid syslog messages. Please take a look >>>>>> at the extractors functionality in Graylog: >>>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>>> >>>>>>> I've installed two variations of Cisco extractors on Graylog2 (one >>>>>>> from marketplace and other from random blog I found). The Source IP >>>>>>> displays correctly, but it seems not all of the actual syslog message >>>>>>> is >>>>>>> displayed. >>>>>>> >>>>>>> Example: >>>>>>> I see this in Graylog >>>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>>> >>>>>>> But it should be this >>>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>>> >>>>>>> Is there anything I can tweak to overcome this issue? Thanks for any >>>>>>> help. >>>>>>> >>>>>>> Robert >>>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e36e9f06-e00e-4595-b868-465219df996c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
