<div dir="ltr"><div dir="ltr">Here are 2 different samples of logs without the mnemonic, one is IOS and the other is NX-OS<div><br></div><div><div>IOS, no-parse log to file</div><div>--</div><div>Mar 1 16:06:07 hostname1 <185>78919861: -Traceback= 151644C 151763C 17F0094 1B8BDE8 1B82858</div><div><br></div><div><br></div><div>NX-OS, no-parse log to file</div><div>--</div><div>Mar 1 16:10:41 hostname1 <189>: 2019 Mar 1 16:10:41 CST: last message repeated 3 times</div></div><div><br></div><div>Regards,</div><div>Max</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 28, 2019 at 5:45 PM Scheidler, Balázs <<a href="mailto:balazs.scheidler@oneidentity.com">balazs.scheidler@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Log samples would be appreciated.</div><br><div class="gmail_quote"><div dir="ltr">On Thu, Feb 28, 2019, 18:11 N. Max Pierson <<a href="mailto:nmaxpierson@gmail.com" target="_blank">nmaxpierson@gmail.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><h3 class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-iw" style="overflow:hidden;white-space:nowrap;font-size:0.75rem;margin:inherit;text-overflow:ellipsis;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;letter-spacing:0.3px;color:rgb(95,99,104);line-height:20px"><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal">Balázs,</span></span></h3><div><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal"><br></span></span></div><div><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal">I modified the plugin.conf XML file (<a href="https://pastebin.com/9BruYy0S" rel="noreferrer" target="_blank">https://pastebin.com/9BruYy0S</a> - added lines 62-65) for the cisco-parser and I was able to capture NX-OS syslogs. I also noticed that the default parser is not matching syslogs that do not include the Cisco mnemonic (both for IOS and NX-OS). While I was able to fix the NX-OS issues (which was a date parsing problem), i'm not sure what needs to be changed/added in this file so that even logs that do not contain the mnemonic are matched. Can anyone shed some light on what part of this parser needs to be changed to resolve the issue? I can post some examples of a log that doesn't contain the mnemonic should you need them.</span></span></div><div><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal"><br></span></span></div><div><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal">Regards,</span></span></div><div><span class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-qu" style="outline:none"><span name="Scheidler, Balázs" class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-gD" style="color:rgb(32,33,36);font-size:0.875rem;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px;font-weight:normal">Max</span></span></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 26, 2019 at 11:14 AM Scheidler, Balázs <<a href="mailto:balazs.scheidler@oneidentity.com" rel="noreferrer" target="_blank">balazs.scheidler@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">The cisco-parser() should take care about messages from cisco routers assuming they were received using flags(no-parse). It will automatically detect timestamp formats, but its not perfect, so if you encounter something that it doesn't properly parse, do let us know, so we can add it.<div dir="auto"><br></div><div dir="auto">Also, default-network-drivers() makes it possible to receive both cisco and non-cisco logs on the same port, automatically recognizing the appropriate format. This driver relies on the app-parser() framework, which can be extended by application specific parsers. With that you can construct your specific source driver configuration if you find default-network-drivers () too complicated.</div><div dir="auto"><br></div><div dir="auto">You can find all of these in the documentation, and their source in the syslog-ng configuration library (scl for short, usually in /usr/share/syslog-ng/include/scl).</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Feb 26, 2019, 18:08 Sandor Geller <<a href="mailto:sandor.geller@ericsson.com" rel="noreferrer" target="_blank">sandor.geller@ericsson.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-m_5001367715343377916m_2558471824089517427moz-cite-prefix">Hello,<br>
<br>
When the no-parse flag is used then the macros referencing various
parts of the message aren't filled in. HOST could get looked up
using a reverse DNS lookup unless the keep_hostname option is set.
The syslog priority is set to user.notice when parsing is
disabled.<br>
<br>
Did you take a look at the existing cisco parser? Using it or
adopting it should ease your job. If you could configure the
Ciscos to use other port than anything else (which speaks syslog,
Cisco devices usually aren't such...) would be even better.<br>
<br>
Regards,<br>
Sandor<br>
<br>
On 02/26/2019 05:36 PM, N. Max Pierson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi List,
<div><br>
</div>
<div>I have been trying to get something in place that
can parse syslogs from various Cisco devices. The
message format is almost the same with a few
exceptions. Here is what I have tried and it works but
now it has created another problem I do not know how
to troubleshoot.</div>
<div><br>
</div>
<div>So that I could see exactly what was being parsed,
I disabled the default parsing using the below.</div>
<div><br>
</div>
<div>source s_network { udp(ip(0.0.0.0) port(514)
flags(no-parse)); };<br>
</div>
<div><br>
</div>
<div>rewrite r_cisco{
subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
"", value("MESSAGE"), type("pcre"),
flags("ignore-case")); };<br>
</div>
<div><br>
</div>
<div>
<div>destination d_mysql {</div>
<div> sql(type(mysql)</div>
<div> host("127.0.0.1")</div>
<div> username("syslog-ng")</div>
<div> password("password")</div>
<div> database("syslog")</div>
<div> table("messages_${HOST}")</div>
<div> columns("datetime datetime", "host
varchar(50)", "level varchar(10)", "message text")</div>
<div> values("${R_YEAR}-${R_MONTH}-${R_DAY}
${R_HOUR}:${R_MIN}:${R_SEC}", "${HOST}", "${LEVEL}",
"${MESSAGE}")</div>
<div> indexes("datetime", "level")</div>
<div> );</div>
<div>};</div>
</div>
<div><br>
</div>
<div>log { source(s_network); rewrite(r_cisco);
destination(d_mysql); };<br>
</div>
<div><br>
</div>
<div>This works perfectly as it formats the message as I
want and covers IOS and NX-OS devices. The problem is
when I turned off the default parser, now all of my
logs show "notice" in the $LEVEL macro and doesn't
reflect the real message header level. The $HOST macro
still works fine however.</div>
<div><br>
</div>
<div>Is this the expected behavior that the message
header fields are not parsed as well as the $MESSAGE
itself not being parsed? How can map the header level
field properly to the $LEVEL marco if I disable the
default parser?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Max</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-m_5001367715343377916m_2558471824089517427mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-m_5001367715343377916m_2558471824089517427moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-m_5001367715343377916m_2558471824089517427moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="gmail-m_-1307092612606575568m_-7753228101678025534gmail-m_5001367715343377916m_2558471824089517427moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<p><br>
</p>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>