You can use our docs as a guide if it helps:

http://demo.logzilla.net/help/receiving_data/cisco_ios_configuration

We have also encountered issues with some Cisco gear when the show-timezone command is not used (hosts will come in without a hostname, just a : instead)

For example:

On some Cisco IOS versions, it is imperative that this portion of the command be included. Without it, the syslog daemon may detect your device's hostname as a : instead of the actual hostname.

For example:

Hostname Missing

0 : 189 UTC %SYS-5-CONFIG_I: Configured from console by user1 on vty3 (192.168.2.207)

Correct Hostname

0 192.168.2.252 189 UTC %SYS-5-CONFIG_I: Configured from console by user1 on vty3 (192.168.2.207)

From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of "N. Pierson" <nmaxpierson@gmail.com>
Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Date: Tuesday, February 26, 2019 at 12:11 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Problems parsing Cisco syslogs

I have all devices configured with this exact command minus the show-timezone option and it doesn't seem to make a difference.

On Tue, Feb 26, 2019 at 11:03 AM Nik Ambrosch <nik@ambrosch.com> wrote:

I had a similar issue, could you try installing this logging configuration on your cisco devices?

service timestamps log datetime msec localtime show-timezone

On Tue, Feb 26, 2019 at 11:36 AM N. Max Pierson <nmaxpierson@gmail.com> wrote:

Hi List,

I have been trying to get something in place that can parse syslogs from various Cisco devices. The message format is almost the same with a few exceptions. Here is what I have tried and it works but now it has created another problem I do not know how to troubleshoot.

So that I could see exactly what was being parsed, I disabled the default parsing using the below.

source s_network { udp(ip(0.0.0.0) port(514) flags(no-parse)); };

rewrite r_cisco{ subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s', "", value("MESSAGE"), type("pcre"), flags("ignore-case")); };

destination d_mysql {

sql(type(mysql)

host("127.0.0.1")

username("syslog-ng")

password("password")

database("syslog")

table("messages_${HOST}")

columns("datetime datetime", "host varchar(50)", "level varchar(10)", "message text")

values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}", "${HOST}", "${LEVEL}", "${MESSAGE}")

indexes("datetime", "level")

);

};

log { source(s_network); rewrite(r_cisco); destination(d_mysql); };

This works perfectly as it formats the message as I want and covers IOS and NX-OS devices. The problem is when I turned off the default parser, now all of my logs show "notice" in the $LEVEL macro and doesn't reflect the real message header level. The $HOST macro still works fine however.

Is this the expected behavior that the message header fields are not parsed as well as the $MESSAGE itself not being parsed? How can map the header level field properly to the $LEVEL marco if I disable the default parser?

Regards,

Max

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq