[syslog-ng] Invalid parsing of syslog messages having timezone

[Evan Rempel]

*RANT ON*

cisco logging is the worst. For instance, the * at the beginning of the line indicates that the clock on the device is not synchronized with an external time clock. Great new cisco, but now it is not a valid time stamp!

*RANT OFF*

We use a pattern database to rewrite poor logs prior to doing anything else with the logs.
There also is not a valid program name in this syslog line, so we take the %XXXX-N-YYYY: part of the line and turn it into a program name of cisco_XXXX

One of our tansformed lines of the same kind looks like


2016-06-09T07:17:23-07:00 device.hostname.domain local7.notice cisco_LINEPROTO: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up

If you are interested in this contact me off-list and I can provide the rewrite pattern database and the syslog-ng configuration snippet that uses it.
We also have rewrites for netapp, ddn disk, zone minder, Intel True Scale switches and OpenManage Server Administrator.

Evan.


On 06/09/2016 02:59 AM, Nutan Shinde wrote:
> Hi,
>
> Following is the syslog message received from Cisco router :
>
> *Mar  1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
>
> As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down.
>
> What should I include in the syslog-ng.conf so that time zone is ignored?
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


-- 
Evan Rempel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160609/134289ba/attachment.htm