<div dir="ltr">Hello Gyu,<div><br></div><div><i><span style="font-size:12.8000001907349px">What would you patch?</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Do you think that is that neccessary?</span></i><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">The patch that has already been installed and what it does is the following:</span></div><div><span style="font-size:12.8000001907349px">- Look for the logs that contain this String "</span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:10pt">%BGP-3-INVALID_MPLS:
Invalid MPLS label (1)</span><span style="font-size:12.8000001907349px">" in the cisco.log file. For example, this could be one match: "</span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:10pt">Mar 13 10:33:14 PE06PVAL01 1182434: Mar
13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)</span><span style="font-size:12.8000001907349px">"</span><span style="font-size:12.8000001907349px"><br></span></div><p class="MsoNormal"><span lang="ES-CL" style="font-size:10pt;font-family:'Century Gothic',sans-serif;color:rgb(31,73,125)"></span></p><div><span style="font-size:12.8000001907349px">- Look for the corresponding next line for the line found in the step before. For example, this is the log line for the log mentioned before: "</span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:10pt">Mar 13 10:33:14 PE06PVAL01
1182435: received in
update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X</span><span style="font-size:12.8000001907349px">"</span></div><div><span style="font-size:12.8000001907349px">- Generate a new line and print it in the cisco.log file. For the example, the new line would be: "</span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px">Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) </span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px">received in update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X</span><span style="font-size:12.8000001907349px">"</span></div><div><span style="font-size:12.8000001907349px">- The syslog-ng running on the Server A will send the complete line to another server (Server B) who is listening to all logs coming from Server A</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Yes, I do think it was necessary.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><i>How urgent is this log concatenation project for you?</i></span><br style="font-size:12.8000001907349px"></div><div><span style="font-size:12.8000001907349px">For the time being the patch is working well. However, i still need to implement the filter in syslog-ng on Server B so that the line is discarded: </span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px">Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)</span></div><div><span style="font-size:12.8000001907349px"> </span><span style="font-size:12.8000001907349px">And this line is accepted:</span></div><div><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px"> </span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px">Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) </span><span style="color:rgb(31,73,125);font-family:'Century Gothic',sans-serif;font-size:13.3333330154419px">received in update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X</span><span style="font-size:12.8000001907349px">"</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">It is not urgent. However, if you could tell me how to configure the filter in Syslog-ng; i would greatly appreciate it.</span><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><i><span style="font-size:12.8000001907349px">Some extra question: How extreme is the line breaking? Your log example was</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">the first I saw. (However, I did not configured bgp on cisco yet, I usually</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">worked with rip, when we needed dynamic routing. I worked with "internal"</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">networks, and did not worked with border gateways)</span></i></div><div><br></div><div><span style="font-size:12.8000001907349px">I understand that the line breaking is NOT extreme. Besides, this problem happens for only ONE log out of all the logs that arrive to the Syslog-ng server</span><br></div><div><br></div><div><br></div><div><br style="font-size:12.8000001907349px"><i><span style="font-size:12.8000001907349px">So, In your example the one log was splitted into two lines.</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Is that possible, that it can splitted into more lines?</span><span style="font-size:12.8000001907349px"><br></span></i></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">It could be splitted into more lines. Nonetheless, what i need is to generate a single line which i was already able to do by running the patch we created.</span><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Thank you so much for your help and attention.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Best regards,</span></div><div><span style="font-size:12.8000001907349px">Alan</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><p class="MsoNormal"><span style="font-size:10pt;font-family:'Century Gothic',sans-serif;color:rgb(31,73,125)"></span></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 19, 2015 at 5:01 AM, PÁSZTOR György <span dir="ltr"><<a href="mailto:pasztor@linux.gyakg.u-szeged.hu" target="_blank">pasztor@linux.gyakg.u-szeged.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Alan,<br>
<span class=""><br>
"Alan Sam" <<a href="mailto:samsiu.a@gmail.com">samsiu.a@gmail.com</a>> írta 2015-05-18 16:26-kor:<br>
> Now we have a new situation regarding the syslog-ng configuration file:<br>
><br>
> - A patch had to be created in order to concat the log.<br>
<br>
</span>What would you patch?<br>
Do you think that is that neccessary?<br>
<br>
As I already wrote: I think, it can be solved with some smart patterndb<br>
rule.<br>
I already collected some types of cisco logs, since I worked with many<br>
Cisco devices earlier, and I know they are not to strict following any rule<br>
or rfc about logging.<br>
So, I think the ultimate weapon is patterndb, and as soon as I will have<br>
free time, I will create patterndb for cisco devices.<br>
<br>
But I can not promise you a deadline.<br>
<br>
How urgent is this log concatenation project for you?<br>
<br>
Some extra question: How extreme is the line breaking? Your log example was<br>
the first I saw. (However, I did not configured bgp on cisco yet, I usually<br>
worked with rip, when we needed dynamic routing. I worked with "internal"<br>
networks, and did not worked with border gateways)<br>
So, In your example the one log was splitted into two lines.<br>
Is that possible, that it can splitted into more lines?<br>
<div class="HOEnZb"><div class="h5"><br>
Kind regards,<br>
Gyu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>