Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, you will need to have the device(s) send their logs to the new port instead of 10514. That way only the data that needs the extra parsing will be processed by the extractor. Cisco devices --> (or whatever) All other Syslog --> 10514 -Pete On Friday, February 27, 2015 at 11:17:25 AM UTC-8, roberto...@gmail.com wrote: > > Dear Bernd, thanks for your helpful respondebut now I have a new > question. > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port UDP/10514, and the tutorial said I have to create another INPUT "Raw" > suppose listening on port UDP/. > > How can I connect the raw input with the syslog input ??? I got lost... > > Thanks in advance, > > Roberto > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> create a "Raw" input and create extractors. >> >> There is a blog post about this here: >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> Hope that helps! >> >> Regards, >> Bernd >> >> On 27 February 2015 at 15:57, wrote: >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> company. >> > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> that we >> > point several Windows and Linux servers to the Graylog2 with no >> problems. >> > >> > But in the case of the Cisco ASA firewalls, we have a problem because >> the >> > source sometimes matches something like: >> > >> > :%ASA-session-6-302013: >> > >> > In the Cisco ASA's I setup: >> > >> > logging enable >> > logging emblem >> > logging trap informational >> > logging history debugging >> > logging asdm debugging >> > logging device-id hostname >> > logging host inside_Frontend 10.1.1.1 format emblem >> > >> > I want to have the original hostname in the "source" field, so what can >> I >> > do??? >> > >> > Regards, >> > >> > Roberto >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Bernd, thanks a lot for your help... Now I understand what you tell me, but just a comment: When I created the new Syslog UDP INPUT, I chek the "rDNS resolution" option. Because a don't have configured an internal DNS for reverse resolution in my Graylog server, the source fields now are just IP's and not hostnamesthis is better than having thrash in the source field. I think this solution is good, but I'll try what you suggest. Thanks a lot, Roberto El lunes, 2 de marzo de 2015, 13:02:16 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > ah, okay. Sorry, I didn't know that you have other machines reporting > via Syslog. Then you should create the Syslog input again. Make sure > that the Syslog and Raw input are not listening on the same port! So > you either have to change the port on your Cisco ASA or on your > windows machines. > > Regarding syslog-ng: You can install syslog-ng and forward the Cisco > ASA messages via that one. But then you have to pre-process the > messages in syslog-ng. Otherwise the same messages would arrive in > Graylog. > > Regards, > Bernd > > On 2 March 2015 at 16:47, > wrote: > > Bernd, I've created a Raw INPUT as you said but after that all the > sources > > from Windows servers are bad. > > > > So maybe I can correct de Cisco servers logs but I buy a new problem > with my > > Windows servers. > > > > Is there any universal solution ? Maybe like Alejandro says, installing > just > > a syslog-ng for cisco servers and forward the logs after that to > graylog?? > > > > Thanks again, > > > > Roberto > > > > El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > >> > >> Roberto, > >> > >> you replace the Syslog input with a Raw input. The extractors are > >> applied to the Raw input to parse the logs then. > >> In your setup, remove the Syslog input and start a Raw input on the > >> same port. Then add the extractors as described in the blog post I > >> sent you earlier. > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 20:17, wrote: > >> > Dear Bernd, thanks for your helpful respondebut now I have a new > >> > question. > >> > > >> > I have a Graylog2 server with just one INPUT "Syslog UDP" listening > on > >> > port > >> > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > >> > suppose listening on port UDP/. > >> > > >> > How can I connect the raw input with the syslog input ??? I got > lost... > >> > > >> > Thanks in advance, > >> > > >> > Roberto > >> > > >> > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > >> > escribió: > >> >> > >> >> Roberto, > >> >> > >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> >> create a "Raw" input and create extractors. > >> >> > >> >> There is a blog post about this here: > >> >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> >> > >> >> Hope that helps! > >> >> > >> >> Regards, > >> >> Bernd > >> >> > >> >> On 27 February 2015 at 15:57, wrote: > >> >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> >> > company. > >> >> > > >> >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and > after > >> >> > that we > >> >> > point several Windows and Linux servers to the Graylog2 with no > >> >> > problems. > >> >> > > >> >> > But in the case of the Cisco ASA firewalls, we have a problem > because > >> >> > the > >> >> > source sometimes matches something like: > >> >> > > >> >> > :%ASA-session-6-302013: > >> >> > > >> >> > In the Cisco ASA's I setup: > >> >> > > >> >> > logging enable > >> >> > logging emblem > >> >> > logging trap informational > >> >> > logging history debugging > >> >> > logging asdm debugging > >> >> > logging device-id hostname > >> >> > logging host inside_Frontend 10.1.1.1 format emblem > >> >> > > >> >> > I want to have the original hostname in the "source" field, so > what > >> >> > can > >> >> > I > >> >> > do??? > >> >> > > >> >> > Regards, > >> >> > > >> >> > Roberto > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "graylog2" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to graylog2+u...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> > >> >> > >> >> -- > >> >> Developer > >> >> > >> >> Tel.: +49 (0)40 609 452 077 > >> >> Fax.: +49 (0)40 609 452 078 > >> >> > >> >> TORCH GmbH - A Graylog company > >> >> Steckelhörn 11 > >> >> 20457 Hamburg > >> >> Germany > >> >> > >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> >> Geschäftsführer: Lennart Koopmann (CEO) > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Gr
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, ah, okay. Sorry, I didn't know that you have other machines reporting via Syslog. Then you should create the Syslog input again. Make sure that the Syslog and Raw input are not listening on the same port! So you either have to change the port on your Cisco ASA or on your windows machines. Regarding syslog-ng: You can install syslog-ng and forward the Cisco ASA messages via that one. But then you have to pre-process the messages in syslog-ng. Otherwise the same messages would arrive in Graylog. Regards, Bernd On 2 March 2015 at 16:47, wrote: > Bernd, I've created a Raw INPUT as you said but after that all the sources > from Windows servers are bad. > > So maybe I can correct de Cisco servers logs but I buy a new problem with my > Windows servers. > > Is there any universal solution ? Maybe like Alejandro says, installing just > a syslog-ng for cisco servers and forward the logs after that to graylog?? > > Thanks again, > > Roberto > > El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> you replace the Syslog input with a Raw input. The extractors are >> applied to the Raw input to parse the logs then. >> In your setup, remove the Syslog input and start a Raw input on the >> same port. Then add the extractors as described in the blog post I >> sent you earlier. >> >> Regards, >> Bernd >> >> On 27 February 2015 at 20:17, wrote: >> > Dear Bernd, thanks for your helpful respondebut now I have a new >> > question. >> > >> > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on >> > port >> > UDP/10514, and the tutorial said I have to create another INPUT "Raw" >> > suppose listening on port UDP/. >> > >> > How can I connect the raw input with the syslog input ??? I got lost... >> > >> > Thanks in advance, >> > >> > Roberto >> > >> > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers >> > escribió: >> >> >> >> Roberto, >> >> >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> >> create a "Raw" input and create extractors. >> >> >> >> There is a blog post about this here: >> >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> >> >> Hope that helps! >> >> >> >> Regards, >> >> Bernd >> >> >> >> On 27 February 2015 at 15:57, wrote: >> >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> >> > company. >> >> > >> >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> >> > that we >> >> > point several Windows and Linux servers to the Graylog2 with no >> >> > problems. >> >> > >> >> > But in the case of the Cisco ASA firewalls, we have a problem because >> >> > the >> >> > source sometimes matches something like: >> >> > >> >> > :%ASA-session-6-302013: >> >> > >> >> > In the Cisco ASA's I setup: >> >> > >> >> > logging enable >> >> > logging emblem >> >> > logging trap informational >> >> > logging history debugging >> >> > logging asdm debugging >> >> > logging device-id hostname >> >> > logging host inside_Frontend 10.1.1.1 format emblem >> >> > >> >> > I want to have the original hostname in the "source" field, so what >> >> > can >> >> > I >> >> > do??? >> >> > >> >> > Regards, >> >> > >> >> > Roberto >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "graylog2" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to graylog2+u...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> -- >> >> Developer >> >> >> >> Tel.: +49 (0)40 609 452 077 >> >> Fax.: +49 (0)40 609 452 078 >> >> >> >> TORCH GmbH - A Graylog company >> >> Steckelhörn 11 >> >> 20457 Hamburg >> >> Germany >> >> >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> >> Geschäftsführer: Lennart Koopmann (CEO) >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registerg
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Bernd, I've created a Raw INPUT as you said but after that all the sources from Windows servers are bad. So maybe I can correct de Cisco servers logs but I buy a new problem with my Windows servers. Is there any universal solution ? Maybe like Alejandro says, installing just a syslog-ng for cisco servers and forward the logs after that to graylog?? Thanks again, Roberto El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > you replace the Syslog input with a Raw input. The extractors are > applied to the Raw input to parse the logs then. > In your setup, remove the Syslog input and start a Raw input on the > same port. Then add the extractors as described in the blog post I > sent you earlier. > > Regards, > Bernd > > On 27 February 2015 at 20:17, > > wrote: > > Dear Bernd, thanks for your helpful respondebut now I have a new > > question. > > > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port > > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > > suppose listening on port UDP/. > > > > How can I connect the raw input with the syslog input ??? I got lost... > > > > Thanks in advance, > > > > Roberto > > > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > escribió: > >> > >> Roberto, > >> > >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> create a "Raw" input and create extractors. > >> > >> There is a blog post about this here: > >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> > >> Hope that helps! > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 15:57, wrote: > >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> > company. > >> > > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > >> > that we > >> > point several Windows and Linux servers to the Graylog2 with no > >> > problems. > >> > > >> > But in the case of the Cisco ASA firewalls, we have a problem because > >> > the > >> > source sometimes matches something like: > >> > > >> > :%ASA-session-6-302013: > >> > > >> > In the Cisco ASA's I setup: > >> > > >> > logging enable > >> > logging emblem > >> > logging trap informational > >> > logging history debugging > >> > logging asdm debugging > >> > logging device-id hostname > >> > logging host inside_Frontend 10.1.1.1 format emblem > >> > > >> > I want to have the original hostname in the "source" field, so what > can > >> > I > >> > do??? > >> > > >> > Regards, > >> > > >> > Roberto > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Brend, is it possible to implement a syslog-ng in another server, receive the Cisco ASA logs and finally forward them to the Graylog2 server ??? Because I read in the Graylog docs that this maybe a solution too Regards, Roberto El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > you replace the Syslog input with a Raw input. The extractors are > applied to the Raw input to parse the logs then. > In your setup, remove the Syslog input and start a Raw input on the > same port. Then add the extractors as described in the blog post I > sent you earlier. > > Regards, > Bernd > > On 27 February 2015 at 20:17, > > wrote: > > Dear Bernd, thanks for your helpful respondebut now I have a new > > question. > > > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port > > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > > suppose listening on port UDP/. > > > > How can I connect the raw input with the syslog input ??? I got lost... > > > > Thanks in advance, > > > > Roberto > > > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > escribió: > >> > >> Roberto, > >> > >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> create a "Raw" input and create extractors. > >> > >> There is a blog post about this here: > >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> > >> Hope that helps! > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 15:57, wrote: > >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> > company. > >> > > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > >> > that we > >> > point several Windows and Linux servers to the Graylog2 with no > >> > problems. > >> > > >> > But in the case of the Cisco ASA firewalls, we have a problem because > >> > the > >> > source sometimes matches something like: > >> > > >> > :%ASA-session-6-302013: > >> > > >> > In the Cisco ASA's I setup: > >> > > >> > logging enable > >> > logging emblem > >> > logging trap informational > >> > logging history debugging > >> > logging asdm debugging > >> > logging device-id hostname > >> > logging host inside_Frontend 10.1.1.1 format emblem > >> > > >> > I want to have the original hostname in the "source" field, so what > can > >> > I > >> > do??? > >> > > >> > Regards, > >> > > >> > Roberto > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, you replace the Syslog input with a Raw input. The extractors are applied to the Raw input to parse the logs then. In your setup, remove the Syslog input and start a Raw input on the same port. Then add the extractors as described in the blog post I sent you earlier. Regards, Bernd On 27 February 2015 at 20:17, wrote: > Dear Bernd, thanks for your helpful respondebut now I have a new > question. > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on port > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > suppose listening on port UDP/. > > How can I connect the raw input with the syslog input ??? I got lost... > > Thanks in advance, > > Roberto > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> create a "Raw" input and create extractors. >> >> There is a blog post about this here: >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> Hope that helps! >> >> Regards, >> Bernd >> >> On 27 February 2015 at 15:57, wrote: >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> > company. >> > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> > that we >> > point several Windows and Linux servers to the Graylog2 with no >> > problems. >> > >> > But in the case of the Cisco ASA firewalls, we have a problem because >> > the >> > source sometimes matches something like: >> > >> > :%ASA-session-6-302013: >> > >> > In the Cisco ASA's I setup: >> > >> > logging enable >> > logging emblem >> > logging trap informational >> > logging history debugging >> > logging asdm debugging >> > logging device-id hostname >> > logging host inside_Frontend 10.1.1.1 format emblem >> > >> > I want to have the original hostname in the "source" field, so what can >> > I >> > do??? >> > >> > Regards, >> > >> > Roberto >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Dear Bernd, thanks for your helpful respondebut now I have a new question. I have a Graylog2 server with just one INPUT "Syslog UDP" listening on port UDP/10514, and the tutorial said I have to create another INPUT "Raw" suppose listening on port UDP/. How can I connect the raw input with the syslog input ??? I got lost... Thanks in advance, Roberto El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > the Cisco ASA does not send valid Syslog, unfortunately. You have to > create a "Raw" input and create extractors. > > There is a blog post about this here: > http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > > Hope that helps! > > Regards, > Bernd > > On 27 February 2015 at 15:57, > > wrote: > > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > company. > > > > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > that we > > point several Windows and Linux servers to the Graylog2 with no > problems. > > > > But in the case of the Cisco ASA firewalls, we have a problem because > the > > source sometimes matches something like: > > > > :%ASA-session-6-302013: > > > > In the Cisco ASA's I setup: > > > > logging enable > > logging emblem > > logging trap informational > > logging history debugging > > logging asdm debugging > > logging device-id hostname > > logging host inside_Frontend 10.1.1.1 format emblem > > > > I want to have the original hostname in the "source" field, so what can > I > > do??? > > > > Regards, > > > > Roberto > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, the Cisco ASA does not send valid Syslog, unfortunately. You have to create a "Raw" input and create extractors. There is a blog post about this here: http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ Hope that helps! Regards, Bernd On 27 February 2015 at 15:57, wrote: > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our company. > > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after that we > point several Windows and Linux servers to the Graylog2 with no problems. > > But in the case of the Cisco ASA firewalls, we have a problem because the > source sometimes matches something like: > > :%ASA-session-6-302013: > > In the Cisco ASA's I setup: > > logging enable > logging emblem > logging trap informational > logging history debugging > logging asdm debugging > logging device-id hostname > logging host inside_Frontend 10.1.1.1 format emblem > > I want to have the original hostname in the "source" field, so what can I > do??? > > Regards, > > Roberto > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Logs from Cisco ASA with bad "source" field
Dear, I have a Graylog2 version 0.20.6 as our syslog server of our company. I defined an INPUT "Syslog UDP" running on port UDP/10514, and after that we point several Windows and Linux servers to the Graylog2 with no problems. But in the case of the Cisco ASA firewalls, we have a problem because the source sometimes matches something like: :%ASA-session-6-302013: In the Cisco ASA's I setup: logging enable logging emblem logging trap informational logging history debugging logging asdm debugging logging device-id hostname logging host inside_Frontend 10.1.1.1 format emblem I want to have the original hostname in the "source" field, so what can I do??? Regards, Roberto -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
