Hello Thomas, Can you look at https://groups.google.com/d/msgid/graylog2/40d8e21b-09d8-4028-b728-b3612e82233b%40googlegroups.com?utm_medium=email&utm_source=footer - looks like the same parsing issue.
If you can also send a few raw logs in an attachment, so that I can look at them clearly, the message structure above looks different from what I've seen in the Cisco docs. Regards, On Friday, 2 September 2016 05:11:09 UTC+2, Thomas wrote: > > Community > > I have created a new extractor using the following > https://marketplace.graylog.org/addons/90396261-812c-4fa8-ad8f-a17771c9f8e0 > > I am receiving syslog messages from my Cisco equipment, however the > "source" field in GrayLog contains more than just the name of the source > field. > It includes date information as well. > > > I'll give you an example > > Syslog message from my Cisco 4507 switch > > 9/1/2016 3:07 AM : C4K_REDUNDANCY-5-CONFIGSYNC 215: 4507-HOSTNAME: .Sep > 1 03:07:14 EST-DST: %C4K_REDUNDANCY-5-CONFIGSYNC: The startup-config has > been successfully synchronized to the standby supervisor > > The source field in GrayLog is as follows > > 215: 4507-HOSTNAME: .Sep 1 03:07:14 EST-DST: > > Messages from my Cisco ASA5500 has the following source field > Sep 01 2016 22:58:05 5500-FW1 : > > > RegEx for the source field is as follows, which is unchanged from the > extractor > > > "regex_value": ">(.+?)%" > > Any suggestion to how this can be resolved such that only the host name if > included in the source field? > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5b19170e-4451-4121-9042-ed23e06b4a13%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
