Closed jgallucci32 closed 4 years ago
Hi @jgallucci32 sorry for not getting to this in time.
Do I understood you correctly? You are sending external Syslog messages to Graylog Syslog input with specified facility code 84
. After configuring the syslog output you are receiving those messages with different facility code?
Could you help me generate Syslog messages with various facility code? Preferably in a cross-platform fashion (Linux/macOS)
@huksley Yes that is correct. I have a Graylog Input configured for Syslog TCP listening on TCP/514. From my Linux client it is configured to send the messages using /etc/rsyslog.d/syslog.conf
*.* @@graylog.mydomain.local:514;RSYSLOG_SyslogProtocol23Format
When you log in/out of your Linux box it will generate an AUTHPRIV syslog message which has the code <86>. You will see this gets translated with the plugin when output to an external system as <14>. Let me know if you need more details to reproduce.
Added PR #38 but currently AUTH and AUTHPRIV are handled by Graylog server itself as the same facility. This results in <86> to be sent out as <38>. If you can control input messages, you can add facility_num
field to take priority over literal facility
field.
See https://github.com/Graylog2/graylog2-server/pull/8394 for details.
Closing this as everything except AUTH and AUTHPRIV should be handled correctly as per #38
@jgallucci32 If this is still relevant for you, you might want to watch for the next 3.3.3 release of Graylog and retry your scenario with transparent
output type. It should work as my PR with facility_num
support was merged recently into Graylog master.
There seems to be an issue where the Facility code defaults to USER(1) and does not properly translate to what is stored in Graylog. I confirm that Graylog indexes the message with facility "security/authorization" but this does not translate when using the Syslog output (plain and structured tested).
Here is the raw message from rsyslogd
This message is indexed into Graylog, and then sent through an output using the 'plain format'
As you can see from the outputs the original priority
<86>
(authpriv.info) has changed to<14>
(user.info). This should be corrected to output the correct facility code to the message.