Hi!

I want to let my MT devices send their logs to a central destination.

I am already using Graylog, so I did set up a syslog input on Graylog and configured it as destination for the MT-devices.

But:
- If I use "BSD syslog" on my MT routers, I do not see the messages.
- If I do not use "BSD syslog", i can see the messages as unformatted string: firewall,info output: in:(unknown 0) out:ether1, proto 4, 10.49.0.17->10.10.239.5, len 40

Are you using Graylog? Did you setup a working set of extractors, or how did you solve this?

Thank you for your thoughts
Stril

I posted something similar in the graylog forms would you be able to check my post there and see if what you are experiencing is similar.
I have also heard version 3.1.x of grayolg is handling these logs correctly. I am spooling up a VM to test this later today.

Link to post in graylog forms https://community.graylog.org/t/how-can ... er/11132/3

Hi!

It would be great, if you could keep me updated.

Sorry i gave you a bad link to the first post
https://community.graylog.org/t/mikroti ... evel/17387

I think i have a fully working solution Ill post in that forum by the end of the day ... probably.

I tried this a while back and found that when you use the BSD option, something very strange to do with timezones happen. My device was set to UTC+2, which would cause the log entries to appear in Graylog two hours after the fact. Extremely confusing until I found out what was going on.

I don't know if it's an issue with the time zone on the Graylog server or something else. I suspect that should you use a timezone UTC<0 you will never see the messages.

@wisphak1
Did you go with RAW-input, or did you find any option for BSD-input on graylog?

I ended up using raw without bsd then used extractors to format the logs