<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Hi <span style="color: rgb(32, 31, 30); font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; background-color: rgb(255, 255, 255); display: inline !important">Ciprian,</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span style="color: rgb(32, 31, 30); font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span style="color: rgb(32, 31, 30); font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; background-color: rgb(255, 255, 255); display: inline !important">Cisco logs have
been known to ignore RFC3164 log format and therefore needs to be parsed specially.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span style="color: rgb(32, 31, 30); font-family: "Segoe UI", "Segoe UI Web (West European)", "Segoe UI", -apple-system, BlinkMacSystemFont, Roboto, "Helvetica Neue", sans-serif; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-size: 11pt;"><font color="#201f1e">In syslog-ng there is a dedicated cisco-parser() to handle some known Cisco formats.</font></div>
<div style="font-size: 11pt;"><font color="#201f1e"><a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/72#TOPIC-1209348" id="LPlnk540462">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/72#TOPIC-1209348</a><br>
</font></div>
<div style="font-size: 11pt;">Please don't forget to set "no-parse" flag. </div>
<div style="font-size: 11pt;"> source { udp(flags(no-parse)); };<br>
</div>
<div style="font-size: 11pt;"><br>
</div>
<div style="font-size: 11pt;">The problem with using a dedicated parser is that if you pass a log message with different format than the parser expects, </div>
<div style="font-size: 11pt;">the parsing result can be wrong, or some parser even drops the message.</div>
<div style="font-size: 11pt;">Therefore you need to route the different message formats on different channels to do parsing on.</div>
<div style="font-size: 11pt;"><br>
</div>
<div style="font-size: 11pt;">For convenience, there is a source driver called "default-network-driver()" which opens and listens on the common ports and formats and then </div>
<div style="font-size: 11pt;">it parses the message automatically based on some message characteristics, i.e. if it detects that a message has a cisco format, it parses it with cisco-parser():</div>
<div style="font-size: 11pt;">Ports opened by default:<br>
<span>
<ul>
<li><span>514, both TCP and UDP, for RFC3164 (BSD-syslog) formatted traffic</span></li><li>601 TCP, for RFC5424 (IETF-syslog) formatted traffic</li><li>6514 TCP, for TLS-encrypted traffic<br>
</li></ul>
</span>
<div>Detailed documentation:<br>
<a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/17#TOPIC-1209127" id="LPlnk330446" style="font-size: 11pt;">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/17#TOPIC-1209127</a><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Gabor</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of ciprian niculescu <cnicules@gmail.com><br>
<b>Sent:</b> Tuesday, July 30, 2019 20:35<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] cisco templetes</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hello,<br>
<br>
i'm building a syslog relay to collect and duplicate the flows to<br>
multiple destinations.<br>
but the relayed messages are strange looking.<br>
my source are cisco network devices (catalyst, nexus, asa) and i want<br>
to relay to a Solarwinds, Splunk and a linux-syslog for archiving.<br>
<br>
i search the net for a templete but found none.<br>
What i got so far is that the catalyst is sending in syslog bsd<br>
format, but with the relay configured to source bsd and destination<br>
bsd, the end message is different (the date is doubled, the relay add<br>
his IP)<br>
<br>
any help is appreciated.<br>
<br>
Regards,<br>
<br>
Ciprian<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=NfDwArjXF2rTuXIkXtUbE8tmsi095EkX5lgLn3EbFD0%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=NfDwArjXF2rTuXIkXtUbE8tmsi095EkX5lgLn3EbFD0%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=4UJ8e%2FCy5qcLj%2BtY5jlDK9FA3yv0Md8im9BjfUxnbx0%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=4UJ8e%2FCy5qcLj%2BtY5jlDK9FA3yv0Md8im9BjfUxnbx0%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606860191&sdata=Cq0V%2F0nmydZ%2FOHcgY%2FHKaZuHnjoHh6grq%2BHYqX%2FgDEI%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606860191&sdata=Cq0V%2F0nmydZ%2FOHcgY%2FHKaZuHnjoHh6grq%2BHYqX%2FgDEI%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>