Syslog integration no longer forwarding events to Graylog
I began testing the beta version of the Linux controller back in July of this year, and since then, I have not received any forwarded syslog messages to my Graylog instance. No relevant settings or configuration were changed on either the controller or my Graylog instance. I wanted to check whether are any known issues with syslog forwarding in the beta versions of the controller. I just updated to 5.14.32.2 and the behavior has remained the same.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Enkidu77
Does the controller generate logs correctly?
If you downgrade to the official version 5.14.26.1, will the issue disappear?
- Copy Link
- Report Inappropriate Content
@Vincent-TP in doing a little more investigation, it seems the messages are being consumed, but the format has changed. The source and timestamp information is not properly sent as seen below.
2024-09-30 00:00:00.000 | [1727810531.979972177] | |
[1727810531.979972177] AP MAC=xx:xx:xx:xx:xx:xx MAC SRC=xx:xx:xx:xx:xx:xx IP SRC=xxx.xxx.xxx.xxx IP DST=xxx.xxx.xxx.xxx IP proto=6 SPT=56932 DPT=10101 |
2024-09-30 00:00:00.000 | 10:36:17 | |
[client:xx-xx-xx-xx-xx-xx:xx-xx-xx-xx-xx-xx] was disconnected from network "ProxRep" on [switch:Switch1:xx-xx-xx-xx-xx-xx](connected time:38h52m connected, traffic: 2839.78MB) and connected to network "Default" on [switch:Switch1:xx-xx-xx-xx-xx-xx]. |
I can work around this partially by configuring a separate Graylog input just for the Omada controller, but without more significant pipeline or pattern configuration I can't easily reformat the incoming information with the correct source and timestamp. It seems the beta versions of the controller have switched to a different output format -- it would be helpful to understand what changes were made and why. No configuration adjustment was required with the pre-beta version of the controller, and the same syslog input worked across all my devices and servers. It is not ideal to have to configure a separate input or additional Graylog configuration because of this change.
- Copy Link
- Report Inappropriate Content
Thank you for the information.
For a comparison, would you please share an example of the logs from the old controllers?
- Copy Link
- Report Inappropriate Content
@Vincent-TP sure, see below. Note that before the issue began with the beta controller, the logs were separated out by whether they came from global logging or site logging (Home is the name of my homelab network). They were also properly formatted with date and time.
2024-07-02 12:00:33.216 | Omada-Home | |
was disconnected from network "LAN" on [osw:Switch1:xx-xx-xx-xx-xx-xx](connected time:42h5m connected, traffic: 673019.75MB) and connected to network "ProxRep" on [osw:Switch1:xx-xx-xx-xx-xx-xx]. |
2024-07-02 10:32:26.948 | Omada | |
- homepage logged in to the controller from 172.18.0.7. |
- Copy Link
- Report Inappropriate Content
Hi @Enkidu77
From this version, we have modified the time format. It has been changed from "{year-month-day T hour:minute:second.millisecond}" to "{year-month-day (space) hour:minute:second}.
Before:
Now:
Please modify the matching rule accordingly and see if the issue persist.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Vincent-TP Hi Vincent, I will test this in the next day or two and let you know. Thanks for the update.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 346
Replies: 7
Voters 0
No one has voted for it yet.