<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.11">
<TITLE>RE: Cisco IOS message format</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<BR>
<P><FONT COLOR="#0000FF" FACE="Calibri">Hi All,</FONT>
</P>
<P><FONT COLOR="#0000FF" FACE="Calibri">Can anyone assist with the issue below</FONT>
</P>
<P><FONT COLOR="#0000FF" FACE="Calibri">Thanks</FONT>
<BR><FONT COLOR="#0000FF" FACE="Calibri">James</FONT>
</P>
<BR>
<P><FONT SIZE=1 FACE="Tahoma">_____________________________________________ </FONT>
<BR><B><FONT SIZE=1 FACE="Tahoma">From: </FONT></B> <FONT SIZE=1 FACE="Tahoma">Wells, James </FONT>
<BR><B><FONT SIZE=1 FACE="Tahoma">Sent: </FONT></B> <FONT SIZE=1 FACE="Tahoma">10 November 2011 11:25</FONT>
<BR><B><FONT SIZE=1 FACE="Tahoma">To: </FONT></B> <FONT SIZE=1 FACE="Tahoma">'syslog-ng@lists.balabit.hu.'</FONT>
<BR><B><FONT SIZE=1 FACE="Tahoma">Subject: </FONT></B> <FONT SIZE=1 FACE="Tahoma">Cisco IOS message format</FONT>
</P>
<P><FONT FACE="Calibri">Hi All,</FONT>
</P>
<P><FONT FACE="Calibri">I am struggling to get syslog-ng to output the correct format for Cisco IOS devices. I am using syslog-ng to forward message to a NMS system. The issue I see is syslog-ng upon forwarding adds more data to the message as I am assuming it does not understand the Cisco IOS syslog format.</FONT></P>
<P><FONT FACE="Calibri">Version of syslog-ng:</FONT>
</P>
<P><FONT FACE="Calibri">Name : syslog-ng Relocations: (not relocatable)</FONT>
<BR><FONT FACE="Calibri">Version : 2.1.4 Vendor: Fedora Project</FONT>
<BR><FONT FACE="Calibri">Release : 9.el5 Build Date: Mon 16 May 2011 15:09:47 BST</FONT>
<BR><FONT FACE="Calibri">Install Date: Fri 21 Oct 2011 12:26:04 BST Build Host: x86-01.phx2.fedoraproject.org</FONT>
<BR><FONT FACE="Calibri">Group : System Environment/Daemons Source RPM: syslog-ng-2.1.4-9.el5.src.rpm</FONT>
</P>
<P><FONT FACE="Calibri">Cisco IOS statements:</FONT>
</P>
<P><FONT FACE="Calibri">service timestamps log datetime msec localtime show-timezone</FONT>
<BR><FONT FACE="Calibri">logging trap notifications</FONT>
<BR><FONT FACE="Calibri">logging facility local6</FONT>
</P>
<P><FONT FACE="Calibri">Syslog format in the local file:</FONT>
</P>
<P><FONT FACE="Calibri">Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by testuser on vty0 (1.2.3.4)</FONT>
</P>
<P><FONT FACE="Calibri">Syslog-ng conf file:</FONT>
</P>
<P><FONT FACE="Calibri">options {</FONT>
</P>
<P><FONT FACE="Calibri"> sync(0);</FONT>
<BR><FONT FACE="Calibri"> time_reopen(10);</FONT>
<BR><FONT FACE="Calibri"> log_fifo_size(1000);</FONT>
<BR><FONT FACE="Calibri"> long_hostnames(off);</FONT>
<BR><FONT FACE="Calibri"> check_hostname(yes);</FONT>
<BR><FONT FACE="Calibri"> keep_hostname(yes);</FONT>
<BR><FONT FACE="Calibri"> chain_hostnames(no);</FONT>
<BR><FONT FACE="Calibri"> use_time_recvd(yes);</FONT>
</P>
<P><FONT FACE="Calibri">};</FONT>
</P>
<P><FONT FACE="Calibri">template("$MSGONLY\n")</FONT>
</P>
<BR>
<BR>
<P><FONT FACE="Calibri">When I perform a TCPDUMP and view the incoming message and then the forwarded message I can see that syslog-ng adds more data to the MESSAGE aspect of the syslog.</FONT></P>
<P><FONT FACE="Calibri">Has anyone been able to create a filter or template that manages this format, so that the forwarding of the syslog onto another receiver is not changed as syslog-ng is adding the $DATE and $HOST to the message.</FONT></P>
<P><FONT FACE="Calibri">Thanks in advance</FONT>
<BR><FONT FACE="Calibri">James</FONT>
</P>
<BR>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">_______________________________________________________________________</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">This email is intended only for the use of the individual(s) to whom<br>it is addressed and may be privileged and confidential.</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">Unauthorised use or disclosure is prohibited. If you receive this<br>e-mail in error, please advise immediately and delete the original<br>message without copying, using, or telling anyone about its contents.</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">This message may have been altered without your or our knowledge and<br>the sender does not accept any liability for any errors or omissions<br>in the message.</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">This message does not create or change any contract. Royal Bank of<br>Canada and its subsidiaries accept no responsibility for damage caused<br>by any viruses contained in this email or its attachments. Emails may<br>be monitored.</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">RBC Capital Markets is a business name used by branches and<br>subsidiaries of Royal Bank of Canada, including Royal Bank of Canada,<br>London branch and RBC Europe Limited. In accordance<br>with English law requirements, details regarding RBC Europe Limited<br>are set out below:</font></P>
<P><font style="FONT-FAMILY: ; FONT-SIZE: 9px">RBC EUROPE LIMITED<br>Registered in England and Wales 995939<br>Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF.<br>Authorised and regulated by the Financial Services Authority.<br>Member of the London Stock Exchange.</font></P></BODY>
</HTML>