Incorrect translation of facility codes from Graylog

[jgallucci32]

There seems to be an issue where the Facility code defaults to USER(1) and does not properly translate to what is stored in Graylog. I confirm that Graylog indexes the message with facility "security/authorization" but this does not translate when using the Syslog output (plain and structured tested).

Here is the raw message from rsyslogd

<86>Mar 23 19:22:10 myhostname sudo: pam_unix(sudo:session): session closed for user root

This message is indexed into Graylog, and then sent through an output using the 'plain format'

<14>Mar 23 19:22:10 myhostname security/authorization -  pam_unix(sudo:session): session closed for user root

As you can see from the outputs the original priority <86> (authpriv.info) has changed to <14> (user.info). This should be corrected to output the correct facility code to the message.

[huksley]

Hi @jgallucci32 sorry for not getting to this in time.

Do I understood you correctly? You are sending external Syslog messages to Graylog Syslog input with specified facility code 84. After configuring the syslog output you are receiving those messages with different facility code?

Could you help me generate Syslog messages with various facility code? Preferably in a cross-platform fashion (Linux/macOS)

[jgallucci32]

@huksley Yes that is correct. I have a Graylog Input configured for Syslog TCP listening on TCP/514. From my Linux client it is configured to send the messages using /etc/rsyslog.d/syslog.conf

*.* @@graylog.mydomain.local:514;RSYSLOG_SyslogProtocol23Format

When you log in/out of your Linux box it will generate an AUTHPRIV syslog message which has the code <86>. You will see this gets translated with the plugin when output to an external system as <14>. Let me know if you need more details to reproduce.

[huksley]

Added PR #38 but currently AUTH and AUTHPRIV are handled by Graylog server itself as the same facility. This results in <86> to be sent out as <38>. If you can control input messages, you can add facility_num field to take priority over literal facility field.

See https://github.com/Graylog2/graylog2-server/pull/8394 for details.

[huksley]

Closing this as everything except AUTH and AUTHPRIV should be handled correctly as per #38

[huksley]

@jgallucci32 If this is still relevant for you, you might want to watch for the next 3.3.3 release of Graylog and retry your scenario with transparent output type. It should work as my PR with facility_num support was merged recently into Graylog master.