search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.05k forks source link

rfc 3164 syslog messages dropped in syslog input #2374

Closed profhase closed 8 years ago

profhase commented 8 years ago

Problem description

When sending valid rfc3164 message to a tcp[ syslog input, the message is being dropped.

Steps to reproduce the problem

  1. Create TCP syslog input
  2. send message (is taken as example for valid message here: https://tools.ietf.org/html/rfc5234)
echo '<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8' | nc -v logserver.mylogserver 12218
  1. The message is not there

    Environment

    • Graylog Version: 2.0.1-2
    • Elasticsearch Version: 2
    • MongoDB Version: 3
    • Operating System: graylog2/server:2.0.1-2 Docker container
    • Browser version: Firefox 45
joschi commented 8 years ago

@profhase While the syslog parser in Graylog is failing for some examples from RFC 3164, the specific example you've chosen it not among them (see e3249f8f3b297ecdf40783e9d7e7008dcc930deb).

Please take note that the example message does not contain a timezone and thus Graylog expects it to be UTC. So maybe the message is simply not within the time frame you've been searching in (could also be "the future", depending on which timezone you and the Graylog server are in).

profhase commented 8 years ago

Thank you, stupid me, the entries have indeed been in the future. It looks like RFC3164 does not define a timezone (or at least the application is not capable of it). Is there a way to define the timezone for inputs/streams or would I have to rewrite the message with drools?