Source from Cisco 3750 switch appears as name of the month (?) in Graylog 6.0
I've just installed a new SIEM based on Graylog 6.0 to collect all my logs from my home network. Both my APs and TrueNAS send logs over UDP just fine.
After adding my switch - Cisco Catalyst 3750-X - I noticed that the logs were being collected by source name was odd - ".jun" which appears as the name of the month as I'm actually writing this post in June.
It turns out that even if the switch has hostname set up, it won't be sent to remote syslog if "logging origin-id" is not set.
After setting it:
logging origin-id hostname
The correct hostname has been sent to Graylog:
And after a while, the old "hostname" disappeared, leaving everything as it should be:
Other options to set are:
hostname Use origin hostname as ID
ip Use origin IP address as ID
ipv6 Use origin IPv6 address as ID
string Define a unique text string as ID