search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.06k forks source link

Source name of my fortigate change after update to 2.1.2 #3089

Closed kuroboshi closed 7 years ago

kuroboshi commented 7 years ago

After the update to Graylog v2.1.2, the source name has changed. Now it's the date instead of the name of fortigate.

Expected Behavior

Graylog must return the name of the fortigate as the source

Current Behavior

Graylog returns the current date as the source

Possible Solution

Steps to Reproduce (for bugs)

Upgrade to 2.1.2

Context

I use Fotigate_Content_Pack https://github.com/juiceman84/Fortigate_Content_Pack

Your Environment

kroepke commented 7 years ago

@kuroboshi Could you please provide a message like it comes in? It's unlikely that the parsing changed, but maybe the format has changed. Thanks!

kuroboshi commented 7 years ago

Hello, This is the message I get:

facility
=============================================
    local7
from_syslog
=============================================
    true
level
=============================================
   4
message
===================================================
date=2016-11-21 - date=2016-11-21 time=13:02:16 devname=FG100D devid=FG100D logid=0316 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="root" policyid=10 sessionid=254975250 user="" srcip=192.168.XX.XX srcport=52037 srcintf="VLAN1" dstip=85.116.XX.XX dstport=80 dstintf="VLAN2" proto=6 service=HTTP hostname="pr.a2dfp.net" profile="Filter_XX" action=blocked reqtype=referral url="/r/rckrux?usr=q07ewwvxu&" sentbyte=471 rcvdbyte=633 direction=outgoing msg="URL belongs to a denied category in policy" method=domain cat=17 catdesc="Advertising" crscore=20 crlevel=high

source
============================
    date=2016-11-21
timestamp
============================
2016-11-21T12:02:17.179Z
joschi commented 7 years ago

@kuroboshi Please enable "Store full message?" in your syslog input(s) and post the contents of the full_message field.

kuroboshi commented 7 years ago

I found the problem. This came from the input of the appliance "appliance-syslog-udp" which was started and not the Fortigate input "FortiGate Syslog UDP". They can not be started together. Thank you for your support.