<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hello,<br>
      <br>
      When the no-parse flag is used then the macros referencing various
      parts of the message aren't filled in. HOST could get looked up
      using a reverse DNS lookup unless the keep_hostname option is set.
      The syslog priority is set to user.notice when parsing is
      disabled.<br>
      <br>
      Did you take a look at the existing cisco parser? Using it or
      adopting it should ease your job. If you could configure the
      Ciscos to use other port than anything else (which speaks syslog,
      Cisco devices usually aren't such...) would be even better.<br>
      <br>
      Regards,<br>
      Sandor<br>
      <br>
      On 02/26/2019 05:36 PM, N. Max Pierson wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAD69L81X+76c+U=3ZRU635m-AmaRcekSTzegoNmJEO-iYD1Fpg@mail.gmail.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div dir="ltr">
              <div dir="ltr">Hi List,
                <div><br>
                </div>
                <div>I have been trying to get something in place that
                  can parse syslogs from various Cisco devices. The
                  message format is almost the same with a few
                  exceptions. Here is what I have tried and it works but
                  now it has created another problem I do not know how
                  to troubleshoot.</div>
                <div><br>
                </div>
                <div>So that I could see exactly what was being parsed,
                  I disabled the default parsing using the below.</div>
                <div><br>
                </div>
                <div>source s_network { udp(ip(0.0.0.0) port(514)
                  flags(no-parse)); };<br>
                </div>
                <div><br>
                </div>
                <div>rewrite r_cisco{
subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
                  "", value("MESSAGE"), type("pcre"),
                  flags("ignore-case")); };<br>
                </div>
                <div><br>
                </div>
                <div>
                  <div>destination d_mysql {</div>
                  <div>    sql(type(mysql)</div>
                  <div>    host("127.0.0.1")</div>
                  <div>    username("syslog-ng")</div>
                  <div>    password("password")</div>
                  <div>    database("syslog")</div>
                  <div>    table("messages_${HOST}")</div>
                  <div>    columns("datetime datetime", "host
                    varchar(50)", "level varchar(10)", "message text")</div>
                  <div>    values("${R_YEAR}-${R_MONTH}-${R_DAY}
                    ${R_HOUR}:${R_MIN}:${R_SEC}", "${HOST}", "${LEVEL}",
                    "${MESSAGE}")</div>
                  <div>    indexes("datetime", "level")</div>
                  <div>    );</div>
                  <div>};</div>
                </div>
                <div><br>
                </div>
                <div>log { source(s_network); rewrite(r_cisco);
                  destination(d_mysql); };<br>
                </div>
                <div><br>
                </div>
                <div>This works perfectly as it formats the message as I
                  want and covers IOS and NX-OS devices. The problem is
                  when I turned off the default parser, now all of my
                  logs show "notice" in the $LEVEL macro and doesn't
                  reflect the real message header level. The $HOST macro
                  still works fine however.</div>
                <div><br>
                </div>
                <div>Is this the expected behavior that the message
                  header fields are not parsed as well as the $MESSAGE
                  itself not being parsed? How can map the header level
                  field properly to the $LEVEL marco if I disable the
                  default parser?</div>
                <div><br>
                </div>
                <div>Regards,</div>
                <div>Max</div>
                <div><br>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>