graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

Fix syslog-parsing for MSGID

Open fpetersen-gl opened this issue 1 month ago • 1 comments

See graylog-labs/syslog4j-graylog2#55 and Graylog2/support#372

From this example-message the MSGID (ID42) is not extracted:

<134>1 2025-11-18T10:28:07+0100 185.158.193.21 BIG-IP 42 ID42 - client_ip="34.X.Y.139" target_ip="185.X.Y.21" srcPort=26807 dstPort=443 proto="TCP" action="accept" info="blablabla"

fpetersen-gl avatar Nov 20 '25 14:11 fpetersen-gl

From the linked support issue:

Looks like the syslog-parser only accepts a MSGID if there's structured data wrapped in [...] in the message. Here is the check for existing structured data and only here the MSGID is considered.

I notice we lack unit tests for most of the structured event header fields. We should add those.

patrickmann avatar Dec 05 '25 13:12 patrickmann