Closed kuroboshi closed 7 years ago
@kuroboshi Could you please provide a message like it comes in? It's unlikely that the parsing changed, but maybe the format has changed. Thanks!
Hello, This is the message I get:
facility
=============================================
local7
from_syslog
=============================================
true
level
=============================================
4
message
===================================================
date=2016-11-21 - date=2016-11-21 time=13:02:16 devname=FG100D devid=FG100D logid=0316 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="root" policyid=10 sessionid=254975250 user="" srcip=192.168.XX.XX srcport=52037 srcintf="VLAN1" dstip=85.116.XX.XX dstport=80 dstintf="VLAN2" proto=6 service=HTTP hostname="pr.a2dfp.net" profile="Filter_XX" action=blocked reqtype=referral url="/r/rckrux?usr=q07ewwvxu&" sentbyte=471 rcvdbyte=633 direction=outgoing msg="URL belongs to a denied category in policy" method=domain cat=17 catdesc="Advertising" crscore=20 crlevel=high
source
============================
date=2016-11-21
timestamp
============================
2016-11-21T12:02:17.179Z
@kuroboshi Please enable "Store full message?" in your syslog input(s) and post the contents of the full_message
field.
I found the problem. This came from the input of the appliance "appliance-syslog-udp" which was started and not the Fortigate input "FortiGate Syslog UDP". They can not be started together. Thank you for your support.
After the update to Graylog v2.1.2, the source name has changed. Now it's the date instead of the name of fortigate.
Expected Behavior
Graylog must return the name of the fortigate as the source
Current Behavior
Graylog returns the current date as the source
Possible Solution
Steps to Reproduce (for bugs)
Upgrade to 2.1.2
Context
I use Fotigate_Content_Pack https://github.com/juiceman84/Fortigate_Content_Pack
Your Environment