Graylog not accepting syslog data from UTM 9 due to datetime issues

Hi Klaus,
At which format the date is sent?
I've seen different systems (splunk, kiwi, prolog,...) without problems.
Possible you can send your data to a standard(linux) syslogserver, which forward the data with needed format..?

Hi Dirk,

thanks for your reply. The datetime format UTM 9 is using is "2022:12:29-11:46:36" while the syslog RFC says it should be "2022:12:29T11:46:36".

There are ways to workaround this issue, yes - I already found a working solution by using Graylog extractors. I still think the correct syslog datetime should be applied to the UTM logfiles even if other syslog solutions dont have that problem?

Cheers and a happy New Year,

Klaus

Do you use the "UTM log files" ... or syslog?

Some time ago I learned how to configure a large enterprise management solution by configuring the connectors to accept the "little differences". So the connectors (or the graylog extractor) can be an absolutely typical "workaround".

You can speak to your partner/Sophos representative and create a feature request. But since development with SG/UTM is very limited at the moment... I think you are unsuccessful.

Per default, the /etc/sslog-ng in the utm contains "template("<$PRI>$YEAR:$MONTH:$DAY-$HOUR:$MIN:$SEC $HOST $MSGHDR$MSG\n")" which is what you see.
You might replace tis with "template("<$PRI>$ISODATE $HOST $MSGHDR$MSG\n")" or whatever your logging solution expects.

However I recommend fixing it by being tolerant at the receiving side.
We use syslog to capture messages from all sort of devices apart servers (switches, PBX, sensors, printers, tape librarys, alerting devices, cameras, WLAN APs and all other embedded stuff in use as long as they support it). Often they have their own message format (some of them may not even have a clock integrated) and capturing any message is crutial. So we use a very relaxed filtering (as long as the sender can clearly be identified it gets logged).

The issue with changing the template is that after a reboot / change in the UI for syslog the template gets resetted to the original value so there would be more work needed.. also changes done by root will void the support. So I'll stick to the workaround, but thanks a lot for the explanation.

Thanks a lot!

I know these are less than ideal, but my solutions have been either to:

• Run syslog-ng agent on the Graylog server so it prepends a proper RFC5424 timestamp to the beginning of the message then redirects to localhost:1514 where the Graylog Syslog Input is listening.
• Use the Raw Input and a pipeline rule to rewrite the timestamp during ingestion. It's pretty low resource cost in my experience.

You could make a simple cronjob to run a one-liner replacement for this format string every reboot. Just add this line to `/etc/crontab-static`:

@reboot root sed -i 's/<$PRI>$YEAR:$MONTH:$DAY-$HOUR:$MIN:$SEC/<$PRI>$ISODATE/g' /etc/syslog-ng.conf

Then make an arbitrary config change in the UI (e.g. go to Management > Up2Date, then configuration tab, and change one of the intervals to 'Manual', click Apply, switch back to previous interval, click Apply again) to make the system write /etc/crontab-static to /etc/crontab so it will take effect.