It shouldn't be missing, just parsed. When you search, do you see the hostname in a separate field? In your Syslog Input there should be an option to keep original message, so then there will be a separate intact copy included. If you don't want the syslog to parse at all you could change to a RAW Input, but then you'd lose the indexing performance advantage for searching on syslog datetime and hostname.
> On Jan 18, 2017, at 2:53 AM, Li Li <[email protected]> wrote: > > Hi Jochen, > > Thanks for your reply! We were sending our firewall logs directly to graylog > through syslog protocol and the messages received do contain the date and the > hostname, I wonder why? we are now trying to redesign our log solution, we > decided to use syslog-ng as a centralized hub to receive logs from different > devices, then relay to graylog and flume, etc. It was at this point that we > discovered the messages in graylog was no longer containing the date and > hostname.... > > Thanks, > -Li > >> On Saturday, January 14, 2017 at 4:39:23 AM UTC-6, Jochen Schalanda wrote: >> Hi Li, >> >> Graylog is parsing syslog messages according to the syslog protocol >> standard(s), so it will not repeat the date and the hostname on the start of >> each syslog message but fill the "timestamp" and "source" message fields >> accordingly. >> >> Also see >> https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md#syslog-ng >> for configuration instructions for syslog-ng. >> >> Cheers, >> Jochen >> >>> On Friday, 13 January 2017 18:15:40 UTC+1, Li Li wrote: >>> Hi, all, >>> >>> A portion of logs received from syslog-ng is missing, for example, logs >>> entries expected are: >>> >>> Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu 1,2017/01/12 >>> 17:04:21,0011C102743,TRAFFIC,start,1........ >>> >>> But in graylog, "Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu >>> 1,2017/01/12" is missing, logs seen in graylog start with >>> "17:04:21,0011C102743,TRAFFIC,start,1........" >>> >>> when I have graylog writing to a file, the logs appear to be correct, ie, >>> nothing is missing. >>> >>> My syslog-ng version is 3.7.3, graylog version is 2.0.3. >>> >>> Can anyone give some suggestions? Your help would be greatly appreciated! >>> >>> Thanks, >>> -Li > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/D5ADE1BF-BA8D-45C9-A798-8DBFB5184941%40gmail.com. For more options, visit https://groups.google.com/d/optout.
