Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Raw Log - how to remove "1" on the beginning log string ?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 447 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KKKalle77
      last edited by

      I have a pfSense CE up to date whit
      Log Message Format : syslog
      Raw Logs : [V] Show raw filter logs

      but into the output, for every log I have a 1 in the beginning of the string

      1 2024-11-05T09:35:02.631591+01:00 FW-######## radiusd 30110 - - (49) Login OK: [######] (from client pfsense-###### port #### cli :####)

      can i remove it?

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You are seeing that in the exported logs or locally?

        1 Reply Last reply Reply Quote 0
        • K
          KKKalle77
          last edited by

          Remote Loggin --> Splunk server

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            So it shows fine locally?

            Did that just start happening on the remote server? When you switched to syslog format perhaps?

            1 Reply Last reply Reply Quote 0
            • K
              KKKalle77
              last edited by

              Local show 1 too

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                So did it just start happening or has it done that all the time since you switched the syslog format?

                NogBadTheBadN 1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @stephenw10
                  last edited by NogBadTheBad

                  That's not the Facility code of the syslog message is it ?

                  I see the following when I run the following from the CLI using

                  logger -S 172.16.0.1 -P514 -h 172.16.4.10 test

                  14:54:18.326462 00:08:a2:0a:9d:cb > 00:11:32:e0:32:4e, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 35213, offset 0, flags [none], proto UDP (17), length 67)
                      172.16.0.1.27117 > 172.16.4.10.514: [udp sum ok] SYSLOG, length: 39
                  	Facility user (1), Severity notice (5)
                  	Msg: Nov 19 14:54:18 pfsense admin: test
                  	0x0000:  3c31 333e 4e6f 7620 3139 2031 343a 3534
                  	0x0010:  3a31 3820 7066 7365 6e73 6520 6164 6d69
                  	0x0020:  6e3a 2074 6573 74
                  

                  If you're creating reports in Splunk you'll need to look at regexes.

                  https://kinneygroup.com/blog/regular-expressions-in-splunk/

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Mmm, I'm not sure we can anything about that. The webgui handles that formatting fine.

                    I believe that's actually the syslog version, which i9s part of the expected format.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.