search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.06k forks source link

The syslog parser analyzes badly the logs #125

Closed arugifa closed 10 years ago

arugifa commented 11 years ago

Hi,

I have a problem with the syslog parser. For exemple, with the following log :

<46>Mar 20 15:22:38 host_srv01 rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="8767" x-info="http://www.rsyslog.com";] (re)start

graylog2-web-interface displays "Mar" as the host source of the log (so it displays the name of the month instead of the host name).

But when I active the DNS lookup (RNDS) in graylog2-server, graylog2-web-interface displays the correct host name "host_srv01".

I don't know how graylog2 find the host source of the log (log analysis or retrieval from the ip source of the tcp/udp datagram).

Looking the source code, in SyslogProcessor.java, I see:

if (remoteAddress == null) { remoteAddress = InetAddress.getLocalHost(); }

So theorically, graylog2 should use in the worst case the IP of the localhost. Maybe the problem is in SyslogDispatcher.java (a wrong IP address is sended to SyslogProcessor.java?):

InetSocketAddress remoteAddress = (InetSocketAddress) e.getRemoteAddress(); ... this.processor.messageReceived(new String(readable), remoteAddress.getAddress());

Thanks. Best Regards.

jalogisch commented 11 years ago

+1 run in this error too ... fixed it by using logstash in the middle and send gelf messages via amqp to graylog (i need this for other logfiles, so nothing new for me) ...

lennartkoopmann commented 11 years ago

Looking into this, thanks.

arugifa commented 11 years ago

It seams to be a problem with the parseHost() function in SyslogProcessor.java. This function returns msg.getHost(), and so, the problem is not specific to graylog2-server but to syslog4j (org.productivity.java.syslog4j.server.SyslogServerEventIF).

But if we replace "return msg.getHost()" by "return remoteAddress.getHostAddress()", the problem is solved :)

kroepke commented 11 years ago

we will address this in the syslog parser rewrite. i'll add your example as a test case.

huksley commented 11 years ago

FYI: The same issue exists in 0.11.0 build. I encounter process name with PID instead of host name.

littletiti commented 11 years ago

Hi,

The problem is present in last version :( in 0.12

 Find a solution : in rsyslog :+1:

$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n" $ActionForwardDefaultTemplate GRAYLOG2

lennartkoopmann commented 10 years ago

This can be solved in v0.20.0 using the newly introduced extractors!

piesu commented 8 years ago

I just encoutered this issue in graylog 2.0.0-beta.1. Shouldn't source by default have ip instead of trying to extract from syslog msg?