Can you paste your filter, destination and log statement for sending to graylog?
> On Jan 18, 2017, at 11:52 AM, Li Li <[email protected]> wrote: > > Hi, Richard, > > Thanks for taking your time to look at it! In graylog, below is how my > message looks like: > > message > 1,2017/01/13 16:58:30,0011C102743,TRAFFIC,end,1,2017/01/13 > 16:58:30,157.142.11.40,10.100.30.205,0.0.0.0,0.0.0.0,Allow all to > Control,,,ping,vsys1,Untrust,Control,ethernet1/1,ethernet1/2.120,Flume,2017/01/13 > 16:58:30,34899,2,0,0,0,0,0x100019,icmp,allow,120,120,0,2,2017/01/13 > 16:58:20,0,any,0,1478205121,0x0,US,10.0.0.0-10.255.255.255,0,2,0,aged-out,0,0,0,0,,Lab-PA5020,from-policy > > As you can see, the date and hostname are missing. When I have syslog-ng > write to a local file, the date and hostname existed. > > Thanks, > -Li > >> On Tuesday, January 17, 2017 at 7:51:02 PM UTC-6, Richard S. Westmoreland >> wrote: >> It shouldn't be missing, just parsed. When you search, do you see the >> hostname in a separate field? In your Syslog Input there should be an >> option to keep original message, so then there will be a separate intact >> copy included. If you don't want the syslog to parse at all you could change >> to a RAW Input, but then you'd lose the indexing performance advantage for >> searching on syslog datetime and hostname. >> >> >>> On Jan 18, 2017, at 2:53 AM, Li Li <[email protected]> wrote: >>> >>> Hi Jochen, >>> >>> Thanks for your reply! We were sending our firewall logs directly to >>> graylog through syslog protocol and the messages received do contain the >>> date and the hostname, I wonder why? we are now trying to redesign our log >>> solution, we decided to use syslog-ng as a centralized hub to receive logs >>> from different devices, then relay to graylog and flume, etc. It was at >>> this point that we discovered the messages in graylog was no longer >>> containing the date and hostname.... >>> >>> Thanks, >>> -Li >>> >>>> On Saturday, January 14, 2017 at 4:39:23 AM UTC-6, Jochen Schalanda wrote: >>>> Hi Li, >>>> >>>> Graylog is parsing syslog messages according to the syslog protocol >>>> standard(s), so it will not repeat the date and the hostname on the start >>>> of each syslog message but fill the "timestamp" and "source" message >>>> fields accordingly. >>>> >>>> Also see >>>> https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md#syslog-ng >>>> for configuration instructions for syslog-ng. >>>> >>>> Cheers, >>>> Jochen >>>> >>>>> On Friday, 13 January 2017 18:15:40 UTC+1, Li Li wrote: >>>>> Hi, all, >>>>> >>>>> A portion of logs received from syslog-ng is missing, for example, logs >>>>> entries expected are: >>>>> >>>>> Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu 1,2017/01/12 >>>>> 17:04:21,0011C102743,TRAFFIC,start,1........ >>>>> >>>>> But in graylog, "Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu >>>>> 1,2017/01/12" is missing, logs seen in graylog start with >>>>> "17:04:21,0011C102743,TRAFFIC,start,1........" >>>>> >>>>> when I have graylog writing to a file, the logs appear to be correct, ie, >>>>> nothing is missing. >>>>> >>>>> My syslog-ng version is 3.7.3, graylog version is 2.0.3. >>>>> >>>>> Can anyone give some suggestions? Your help would be greatly appreciated! >>>>> >>>>> Thanks, >>>>> -Li >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/641a8713-2022-4eb1-97bf-a3123f3e8ffc%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/3CF52594-6986-441D-9BAB-794CD7A7C7D1%40gmail.com. For more options, visit https://groups.google.com/d/optout.
