- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Atm we use splunk to monitor our pfsense boxes.
It would be very nice if we could do that with vcenter log insight.
But the problem is this:
pfsense send out the following:
| Sep 9 15:26:46 | pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 |
| Sep 9 15:26:46 | pf: 00:00:03.010545 rule 1/0(match): block in on em1: (tos 0x0, ttl 128, id 2486, offset 0, flags [DF], proto TCP (6), length 52) |
vcenter log insight shows:
15:26:46.621
2013-09-09
15:26:46.621
priority facility source hostname appname
But splunk shows a much nicer
9/9/13
3:26:44.000 PM Sep 9 15:26:44 193.186.36.81 Sep 9 15:26:46 pf: 00:00:03.010545 rule 1/0(match): block in on em1: (tos 0x0, ttl 128, id 2486, offset 0, flags [DF], proto TCP (6), length 52)Sep 9 15:26:44 193.186.36.81 Sep 9 15:26:46 pf: 192.168.99.8.64592 > 80.239.205.210.80: Flags [S], cksum 0x263b (correct), seq 3949330011, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0host=193.186.36.81 Options|
sourcetype=pfsense-firewall Options|
source=udp:514 Options|
dest_ip=80.239.205.210 Options|
dest_port=80 Options
Now the problem is that if i search for example on 80.239.205.210 it will only show:
2013-09-09
15:26:46.621
priority facility source hostname appname
is there a way to change that..???
Thanks!
Regards
Hans
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw, in base its a pfsense issue..http://redmine.pfsense.org/issues/1938
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, pfsense have created a fix for me. So ill mark this as answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info and bug ID! As an FYI from the Log Insight 1.0 release notes:
Multi-line messages that are sent to Log Insight though syslog from ESXi hosts and other applications are split incorrectly
By default, the syslog protocol supports only single line messages, so each line of a multi-line message is sent as a separate message. This creates problems with field extractions, aggregation, and analysis of multi-line messages.
Workaround: None