diegocanton
commented
8 years ago Please, teste this change.
https://github.com/diegocanton/graylog-contentpack-cisco-catalyst/blob/master/content_pack.json
The original code does not correctly captured the message when it contains ":" (colon) as in your case.
I believe that his exit was empty because the expression did not recognize the time at the end, since he considered ": " (colon and space)
I have installed this content pack in Graylog2, however it seems not all of the syslog data in the message is being displayed. Please see below.
Example: I see this in Graylog 22] at 09:36:18 CDT Wed May 25 2016
But it should be this %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016