Open joschi opened 7 years ago
Hello,
i'm experiencing the same problem which quickly fills up the Elastic Search index, slows down the system and then reach the 1000 field limit.
Full message :
<182>date=2018-02-27 time=15:34:03 devname=REDACTED devid=REDACTED logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd=root appid=15893 user="" srcip=192.168.0.186 srcport=55303 srcintf="internal" dstip=5.45.62.118 dstport=80 dstintf="wan1" profiletype="applist" proto=6 service="HTTP" policyid=1 sessionid=1589466 applist="default" appcat="Web.Client" app="HTTP.BROWSER" action=pass hostname="su.ff.avast.com" url="/R/A1MKIDQyOEZCMzlCNjJCMDRBNjJBRUIzOTY3ODI2ODJBQ0M2EgQAJQIYGK4BIgEBKgcIBBCwiNdcMgoIABDyitdcGIACOICAkGhIgICAgPr_____AQ==" msg="Web.Client: HTTP.BROWSER," apprisk=medium
Created field is :
A1MKIDQyOEZCMzlCNjJCMDRBNjJBRUIzOTY3ODI2ODJBQ0M2EgQAJQIYGK4BIgEBKgcIBBCwiNdcMgoIABDyitdcGIACOICAkGhIgICAgPr_____AQ=
I understand that the "=" is making graylog believe that it's a new field but shouldn't the quotes inhibit this behavior ?
Hello,
has there been a solution for this case? I´m also struggling to get this work..
Issue still present in 5.1 release.
And the problem seems to be with the syslog4j-graylog2 code that uses a both quoted and unqouted pattern for fields.
The FortiOS syslog parser doesn't seem to handle key/value pairs with quotes correctly:
https://community.graylog.org/t/2-2-3-fortigate-parsing/1034