Raw Log - how to remove "1" on the beginning log string ?

KKKalle77

I have a pfSense CE up to date whit
Log Message Format : syslog
Raw Logs : [V] Show raw filter logs

but into the output, for every log I have a 1 in the beginning of the string

1 2024-11-05T09:35:02.631591+01:00 FW-######## radiusd 30110 - - (49) Login OK: [######] (from client pfsense-###### port #### cli :####)

can i remove it?

Thanks

stephenw10

You are seeing that in the exported logs or locally?

KKKalle77

Remote Loggin --> Splunk server

stephenw10

So it shows fine locally?

Did that just start happening on the remote server? When you switched to syslog format perhaps?

KKKalle77

Local show 1 too

stephenw10

So did it just start happening or has it done that all the time since you switched the syslog format?

NogBadTheBad

That's not the Facility code of the syslog message is it ?

I see the following when I run the following from the CLI using

logger -S 172.16.0.1 -P514 -h 172.16.4.10 test

14:54:18.326462 00:08:a2:0a:9d:cb > 00:11:32:e0:32:4e, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 35213, offset 0, flags [none], proto UDP (17), length 67)
    172.16.0.1.27117 > 172.16.4.10.514: [udp sum ok] SYSLOG, length: 39
	Facility user (1), Severity notice (5)
	Msg: Nov 19 14:54:18 pfsense admin: test
	0x0000:  3c31 333e 4e6f 7620 3139 2031 343a 3534
	0x0010:  3a31 3820 7066 7365 6e73 6520 6164 6d69
	0x0020:  6e3a 2074 6573 74

If you're creating reports in Splunk you'll need to look at regexes.

https://kinneygroup.com/blog/regular-expressions-in-splunk/

stephenw10

Mmm, I'm not sure we can anything about that. The webgui handles that formatting fine.

I believe that's actually the syslog version, which i9s part of the expected format.