Hello,<br>
<br>
Thanks for the answers. Currently, I'm using syslog-ng OSE 3.1.2.<br>
<br>
For that "problem", I created the following configuration :<br>
<br>Configuration :<br>
source s_r_udp_cisco {<br>
udp ( ip(0.0.0.0)<br>
port(514)<br>
flags(no-parse)<br>
program_override("cisco_routeur")<br>
);<br>
};<br>
<br>log {<br> source (s_r_udp_cisco);<br> parser (pattern_db_cisco);<br><br> filter (...) -> Filter only on ".cisco.facility" for example<br> etc.<br>};<br><br>
With the following
"pattern_db_cisco" :<br>
<?xml version='1.0' encoding='UTF-8'?><br>
<patterndb version='3' pub_date='2010-11-04'><br>
<ruleset name='cisco_routeur' id='1:2:3:4'><br>
<pattern>cisco_routeur</pattern><br>
<rules><br>
<rule provider='cisco' id='1:2:3:4:id001' class='system'><br>
<patterns><br>
<pattern>@QSTRING:.cisco.prio:&lt;&gt;@@ESTRING:.cisco.id::@
@ESTRING:.cisco.date:%@@ESTRING:.cisco.facility:-@@ESTRING:.cisco.severity:-@@ESTRING:.cisco.mnemonic::@
@ANYSTRING:.cisco.message-text:@</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
</patterndb><br>
<br>and... it's working !<br>But now, I should use another UDP port (which should be another value than 514) because of the option "flags(no-parse)". Indeed, I have some issues when another devices send logs to the syslog-ng server.<br>
<br>Thank you :-)<br><br>Regards,<br><br>Yann I.<br>
<br><br><br><div class="gmail_quote">2010/11/3 Fekete Róbert <span dir="ltr"><<a href="mailto:frobert@balabit.hu" target="_blank">frobert@balabit.hu</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi,<br>
<br>
AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.<br>
<br>
Regards,<br>
Robert<br>
<div><div></div><div><br>
On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <<a href="mailto:mhall@mhcomputing.net" target="_blank">mhall@mhcomputing.net</a>> wrote:<br>
<br>
> There are ways to enable and disable the message sequence numbering<br>
> and other special components of the messages on the Cisco devices<br>
> themselves. The numbers can be useful for finding out if your devices are<br>
> dropping messages somewhere.<br>
><br>
> But the more general solution is to send these to a source which has the<br>
> flags(no-parse) set. Then you can parse out the interesting stuff using<br>
> patterndb. Maybe Peter Czanik from Balabit can suggest where to find the<br>
> latest patterns for Cisco devices.<br>
><br>
> See this for details:<br>
><br>
> <a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-" target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-</a><br>
> guide-admin-en.html/index.html-single.html#reference_source_tcpudp<br>
><br>
> Good Luck,<br>
> Matthew.<br>
><br>
> On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:<br>
> > Hello,<br>
> ><br>
> ><br>
> ><br>
> > I'm writing patterndb.xml files to filter syslog messages from servers<br>
> > and CISCO routers. Currently, CISCO sends syslog with that format:<br>
> ><br>
> ><br>
> ><br>
> > Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403:<br>
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:<br>
> > 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010<br>
> ><br>
> > Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255:<br>
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:<br>
> > 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010<br>
> ><br>
> > Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378:<br>
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:<br>
> > 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010<br>
> ><br>
> ><br>
> ><br>
> > The problem comes from the program name which changes for each<br>
> message:<br>
> > 36779, 36780, 36781, etc. For this reason, I can't use patterndb<br>
> > mechanism.<br>
> ><br>
> > How may I solve my problem? I think it's not allowed to change the<br>
> > program name with the "rewrite" rule.<br>
> ><br>
> > I have the same problem with switches from Alcatel...<br>
> ><br>
> ><br>
> ><br>
> > Regards,<br>
> ><br>
> ><br>
> ><br>
> > Yann I.<br>
><br>
> --<br>
> Matthew Hall<br>
</div></div>> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
><br>
<br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</blockquote></div><br>