<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello,<br>
<br>
When the no-parse flag is used then the macros referencing various
parts of the message aren't filled in. HOST could get looked up
using a reverse DNS lookup unless the keep_hostname option is set.
The syslog priority is set to user.notice when parsing is
disabled.<br>
<br>
Did you take a look at the existing cisco parser? Using it or
adopting it should ease your job. If you could configure the
Ciscos to use other port than anything else (which speaks syslog,
Cisco devices usually aren't such...) would be even better.<br>
<br>
Regards,<br>
Sandor<br>
<br>
On 02/26/2019 05:36 PM, N. Max Pierson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAD69L81X+76c+U=3ZRU635m-AmaRcekSTzegoNmJEO-iYD1Fpg@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi List,
<div><br>
</div>
<div>I have been trying to get something in place that
can parse syslogs from various Cisco devices. The
message format is almost the same with a few
exceptions. Here is what I have tried and it works but
now it has created another problem I do not know how
to troubleshoot.</div>
<div><br>
</div>
<div>So that I could see exactly what was being parsed,
I disabled the default parsing using the below.</div>
<div><br>
</div>
<div>source s_network { udp(ip(0.0.0.0) port(514)
flags(no-parse)); };<br>
</div>
<div><br>
</div>
<div>rewrite r_cisco{
subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
"", value("MESSAGE"), type("pcre"),
flags("ignore-case")); };<br>
</div>
<div><br>
</div>
<div>
<div>destination d_mysql {</div>
<div> sql(type(mysql)</div>
<div> host("127.0.0.1")</div>
<div> username("syslog-ng")</div>
<div> password("password")</div>
<div> database("syslog")</div>
<div> table("messages_${HOST}")</div>
<div> columns("datetime datetime", "host
varchar(50)", "level varchar(10)", "message text")</div>
<div> values("${R_YEAR}-${R_MONTH}-${R_DAY}
${R_HOUR}:${R_MIN}:${R_SEC}", "${HOST}", "${LEVEL}",
"${MESSAGE}")</div>
<div> indexes("datetime", "level")</div>
<div> );</div>
<div>};</div>
</div>
<div><br>
</div>
<div>log { source(s_network); rewrite(r_cisco);
destination(d_mysql); };<br>
</div>
<div><br>
</div>
<div>This works perfectly as it formats the message as I
want and covers IOS and NX-OS devices. The problem is
when I turned off the default parser, now all of my
logs show "notice" in the $LEVEL macro and doesn't
reflect the real message header level. The $HOST macro
still works fine however.</div>
<div><br>
</div>
<div>Is this the expected behavior that the message
header fields are not parsed as well as the $MESSAGE
itself not being parsed? How can map the header level
field properly to the $LEVEL marco if I disable the
default parser?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Max</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>