Hi, Richard, Thanks for taking your time to look at it! In graylog, below is how my message looks like:
message 1,2017/01/13 16:58:30,0011C102743,TRAFFIC,end,1,2017/01/13 16:58:30,157.142.11.40,10.100.30.205,0.0.0.0,0.0.0.0,Allow all to Control,,,ping,vsys1,Untrust,Control,ethernet1/1,ethernet1/2.120,Flume,2017/01/13 16:58:30,34899,2,0,0,0,0,0x100019,icmp,allow,120,120,0,2,2017/01/13 16:58:20,0,any,0,1478205121,0x0,US,10.0.0.0-10.255.255.255,0,2,0,aged-out,0,0,0,0,,Lab-PA5020,from-policy As you can see, the date and hostname are missing. When I have syslog-ng write to a local file, the date and hostname existed. Thanks, -Li On Tuesday, January 17, 2017 at 7:51:02 PM UTC-6, Richard S. Westmoreland wrote: > > It shouldn't be missing, just parsed. When you search, do you see the > hostname in a separate field? In your Syslog Input there should be an > option to keep original message, so then there will be a separate intact > copy included. If you don't want the syslog to parse at all you could > change to a RAW Input, but then you'd lose the indexing performance > advantage for searching on syslog datetime and hostname. > > > On Jan 18, 2017, at 2:53 AM, Li Li <lit...@gmail.com <javascript:>> wrote: > > Hi Jochen, > > Thanks for your reply! We were sending our firewall logs directly to > graylog through syslog protocol and the messages received do contain the > date and the hostname, I wonder why? we are now trying to redesign our log > solution, we decided to use syslog-ng as a centralized hub to receive logs > from different devices, then relay to graylog and flume, etc. It was at > this point that we discovered the messages in graylog was no longer > containing the date and hostname.... > > Thanks, > -Li > > On Saturday, January 14, 2017 at 4:39:23 AM UTC-6, Jochen Schalanda wrote: >> >> Hi Li, >> >> Graylog is parsing syslog messages according to the syslog protocol >> standard(s), so it will not repeat the date and the hostname on the start >> of each syslog message but fill the "timestamp" and "source" message fields >> accordingly. >> >> Also see >> https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md#syslog-ng >> >> for configuration instructions for syslog-ng. >> >> Cheers, >> Jochen >> >> On Friday, 13 January 2017 18:15:40 UTC+1, Li Li wrote: >>> >>> Hi, all, >>> >>> A portion of logs received from syslog-ng is missing, for example, logs >>> entries expected are: >>> >>> Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu 1,2017/01/12 >>> 17:04:21,0011C102743,TRAFFIC,start,1........ >>> >>> But in graylog, "Jan 12 17:04:22 Lab-PA5020.lab.hsc.net.ou.edu >>> 1,2017/01/12" is missing, logs seen in graylog start with >>> "17:04:21,0011C102743,TRAFFIC,start,1........" >>> >>> when I have graylog writing to a file, the logs appear to be correct, >>> ie, nothing is missing. >>> >>> My syslog-ng version is 3.7.3, graylog version is 2.0.3. >>> >>> Can anyone give some suggestions? Your help would be greatly appreciated! >>> >>> Thanks, >>> -Li >>> >> -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+u...@googlegroups.com <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com > > <https://groups.google.com/d/msgid/graylog2/94b9926b-4ed2-4fbc-a18e-0a5e2918f403%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/641a8713-2022-4eb1-97bf-a3123f3e8ffc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
