Brend, is it possible to implement a syslog-ng in another server, receive the Cisco ASA logs and finally forward them to the Graylog2 server ???
Because I read in the Graylog docs that this maybe a solution too.... Regards, Roberto El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > you replace the Syslog input with a Raw input. The extractors are > applied to the Raw input to parse the logs then. > In your setup, remove the Syslog input and start a Raw input on the > same port. Then add the extractors as described in the blog post I > sent you earlier. > > Regards, > Bernd > > On 27 February 2015 at 20:17, <roberto...@gmail.com <javascript:>> > wrote: > > Dear Bernd, thanks for your helpful responde....but now I have a new > > question. > > > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port > > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > > suppose listening on port UDP/5555. > > > > How can I connect the raw input with the syslog input ??? I got lost... > > > > Thanks in advance, > > > > Roberto > > > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > escribió: > >> > >> Roberto, > >> > >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> create a "Raw" input and create extractors. > >> > >> There is a blog post about this here: > >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> > >> Hope that helps! > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 15:57, <roberto...@gmail.com> wrote: > >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> > company. > >> > > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > >> > that we > >> > point several Windows and Linux servers to the Graylog2 with no > >> > problems. > >> > > >> > But in the case of the Cisco ASA firewalls, we have a problem because > >> > the > >> > source sometimes matches something like: > >> > > >> > :%ASA-session-6-302013: > >> > > >> > In the Cisco ASA's I setup: > >> > > >> > logging enable > >> > logging emblem > >> > logging trap informational > >> > logging history debugging > >> > logging asdm debugging > >> > logging device-id hostname > >> > logging host inside_Frontend 10.1.1.1 format emblem > >> > > >> > I want to have the original hostname in the "source" field, so what > can > >> > I > >> > do??? > >> > > >> > Regards, > >> > > >> > Roberto > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.