Hi, Richard, Thanks for taking your time to look at it! In graylog, below is how my message looks like:
message 1,2017/01/13 16:58:30,0011C102743,TRAFFIC,end,1,2017/01/13 16:58:30,157.142.11.40,10.100.30.205,0.0.0.0,0.0.0.0,Allow all to Control,,,ping,vsys1,Untrust,Control,ethernet1/1,ethernet1/2.120,Flume,2017/01/13 16:58:30,34899,2,0,0,0,0,0x100019,icmp,allow,120,120,0,2,2017/01/13 16:58:20,0,any,0,1478205121,0x0,US,10.0.0.0-10.255.255.255,0,2,0,aged-out,0,0,0,0,,Lab-PA5020,from-policy As you can see, the date and hostname are missing. When I have syslog-ng write to a local file, the date and hostname existed. Thanks, -Li On Tuesday, January 17, 2017 at 7:51:02 PM UTC-6, Richard S. Westmoreland wrote: > > It shouldn't be missing, just parsed. When you search, do you see the > hostname in a separate field? In your Syslog Input there should be an > option to keep original message, so then there will be a separate intact > copy included. If you don't want the syslog to parse at all you could > change to a RAW Input, but then you'd lose the indexing performance > advantage for searching on syslog datetime and hostname. > > > On Jan 18, 2017, at 2:53 AM, Li Li <[email protected] <javascript:>> wrote: > > Hi Jochen, > > Thanks for your reply! We were sending our firewall logs directly to > graylog through syslog protocol and the messages received do contain the > date and the hostname, I wonder why? we are now trying to redesign our log > solution, we decided to use syslog-ng as a centralized hub to receive logs > from different devices, then relay to graylog and flume, etc. It was at > this point that we discovered the messages in graylog was no longer > containing the date and hostname.... > > Thanks, > -Li > > On Saturday, January 14, 2017 at 4:39:23 AM UTC-6, Jochen Schalanda wrote: >> >> Hi Li, >> >> Graylog is parsing syslog messages according to the syslog protocol >> standard(s), so it will not repeat the date and the hostname on the start >> of each syslog message but fill the "timestamp" and "source" message fields >> accordingly. >> >> Also see >> https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md#syslog-ng >> >> for configuration instructions for syslog-ng. >> >> Cheers, >> Jochen >> >> On Friday, 13 January 2017 18:15:40 UTC+1, Li Li wrote: >>> >>> Hi, all, >>> >>> A portion of logs received from syslog-ng is missing, for example, logs >>> entries expected are: >>> >>> Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu 1,2017/01/12 >>> 17:04:21,0011C102743,TRAFFIC,start,1........ >>> >>> But in graylog, "Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu >>> 1,2017/01/12" is missing, logs seen in graylog start with >>> "17:04:21,0011C102743,TRAFFIC,start,1........" >>> >>> when I have graylog writing to a file, the logs appear to be correct, >>> ie, nothing is missing. >>> >>> My syslog-ng version is 3.7.3, graylog version is 2.0.3. >>> >>> Can anyone give some suggestions? Your help would be greatly appreciated! >>> >>> Thanks, >>> -Li >>> >> -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com > > <https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/641a8713-2022-4eb1-97bf-a3123f3e8ffc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
