AnsweredAssumed Answered

Syslog messages without PRI header

Question asked by Maximiliano Cittadini on Oct 1, 2019
Latest reply on Oct 1, 2019 by Maximiliano Cittadini

I have some customers that have several products/solutions able to send syslog messages using CEF protocol but the decoder seems to descard them because the syslog messages came without the PRI header. My question here is, there is someway to the decoders accept those messages and parse them with the CEF parser?

 

here are some examples:

This one is not parsed

(it also generates a message on the decoder)

oct 01 10:39:42 HOSTNAME CEF:0|Vendor|Product|10.3|10000|Message Description|2|msg=Some text here field1=value1 field2=2

Message on the decoder:

Oct  1 15:12:57 ldecoder NwLogDecoder[23707]: [SYSLOG] [warning] Unidentified content from 127.0.0.1 received on syslog receiver: 'oct 01 10:39:42 HOSTNAME CEF:0|Vendor|Product|10.3|10000|Message Description|2|msg=Some text here field1=value1 field2=2'

This one IS parsed

<1> oct 01 10:39:42 HOSTNAME CEF:0|Vendor|Product|10.3|10000|Message Description|2|msg=Some text here field1=value1 field2=2

 

 

Thanks in advance!

regards!

Max

Outcomes