Syslog input filter parse failure

(Len Rugen) #1

I'm getting a parse failure on all logs from Cisco ironport appliances. I see a syslog PRI field of <38>. RFC 3164 tables seem to say 3 is daemons but 8 is invalid.

Another method described here

says 38/8 = 4 remainder 6, so AUTH.INFO, which is what WireShark shows.

Is it possible that the syslog input plugin isn't groking PRI correctly?

input {
syslog {
port => 514
codec => plain {
charset => "ISO-8859-1"

(system) closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.