Hi All, Can anyone assist with the issue below Thanks James
_____________________________________________ From: Wells, James Sent: 10 November 2011 11:25 To: 'syslog-ng@lists.balabit.hu.' Subject: Cisco IOS message format
Hi All,
I am struggling to get syslog-ng to output the correct format for Cisco IOS devices. I am using syslog-ng to forward message to a NMS system. The issue I see is syslog-ng upon forwarding adds more data to the message as I am assuming it does not understand the Cisco IOS syslog format.
Version of syslog-ng:
Name : syslog-ng Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 9.el5 Build Date: Mon 16 May 2011 15:09:47 BST Install Date: Fri 21 Oct 2011 12:26:04 BST Build Host: x86-01.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-2.1.4-9.el5.src.rpm
Cisco IOS statements:
service timestamps log datetime msec localtime show-timezone logging trap notifications logging facility local6
Syslog format in the local file:
Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by testuser on vty0 (1.2.3.4)
Syslog-ng conf file:
options {
sync(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); check_hostname(yes); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes);
};
template("$MSGONLY\n")
When I perform a TCPDUMP and view the incoming message and then the forwarded message I can see that syslog-ng adds more data to the MESSAGE aspect of the syslog.
Has anyone been able to create a filter or template that manages this format, so that the forwarding of the syslog onto another receiver is not changed as syslog-ng is adding the $DATE and $HOST to the message.
Thanks in advance James
_______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message without copying, using, or telling anyone about its contents. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. This message does not create or change any contract. Royal Bank of Canada and its subsidiaries accept no responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. RBC Capital Markets is a business name used by branches and subsidiaries of Royal Bank of Canada, including Royal Bank of Canada, London branch and RBC Europe Limited. In accordance with English law requirements, details regarding RBC Europe Limited are set out below: RBC EUROPE LIMITED Registered in England and Wales 995939 Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF. Authorised and regulated by the Financial Services Authority. Member of the London Stock Exchange.