Roberto, you replace the Syslog input with a Raw input. The extractors are applied to the Raw input to parse the logs then. In your setup, remove the Syslog input and start a Raw input on the same port. Then add the extractors as described in the blog post I sent you earlier.
Regards, Bernd On 27 February 2015 at 20:17, <robertocarn...@gmail.com> wrote: > Dear Bernd, thanks for your helpful responde....but now I have a new > question. > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on port > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > suppose listening on port UDP/5555. > > How can I connect the raw input with the syslog input ??? I got lost... > > Thanks in advance, > > Roberto > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> create a "Raw" input and create extractors. >> >> There is a blog post about this here: >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> Hope that helps! >> >> Regards, >> Bernd >> >> On 27 February 2015 at 15:57, <roberto...@gmail.com> wrote: >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> > company. >> > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> > that we >> > point several Windows and Linux servers to the Graylog2 with no >> > problems. >> > >> > But in the case of the Cisco ASA firewalls, we have a problem because >> > the >> > source sometimes matches something like: >> > >> > :%ASA-session-6-302013: >> > >> > In the Cisco ASA's I setup: >> > >> > logging enable >> > logging emblem >> > logging trap informational >> > logging history debugging >> > logging asdm debugging >> > logging device-id hostname >> > logging host inside_Frontend 10.1.1.1 format emblem >> > >> > I want to have the original hostname in the "source" field, so what can >> > I >> > do??? >> > >> > Regards, >> > >> > Roberto >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
