Hi List,
I have been trying to get something in place that
can parse syslogs from various Cisco devices. The
message format is almost the same with a few
exceptions. Here is what I have tried and it works but
now it has created another problem I do not know how
to troubleshoot.
So that I could see exactly what was being parsed,
I disabled the default parsing using the below.
source s_network { udp(ip(0.0.0.0) port(514)
flags(no-parse)); };
rewrite r_cisco{
subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
"", value("MESSAGE"), type("pcre"),
flags("ignore-case")); };
destination d_mysql {
sql(type(mysql)
host("127.0.0.1")
username("syslog-ng")
password("password")
database("syslog")
table("messages_${HOST}")
columns("datetime datetime", "host
varchar(50)", "level varchar(10)", "message text")
values("${R_YEAR}-${R_MONTH}-${R_DAY}
${R_HOUR}:${R_MIN}:${R_SEC}", "${HOST}", "${LEVEL}",
"${MESSAGE}")
indexes("datetime", "level")
);
};
log { source(s_network); rewrite(r_cisco);
destination(d_mysql); };
This works perfectly as it formats the message as I
want and covers IOS and NX-OS devices. The problem is
when I turned off the default parser, now all of my
logs show "notice" in the $LEVEL macro and doesn't
reflect the real message header level. The $HOST macro
still works fine however.
Is this the expected behavior that the message
header fields are not parsed as well as the $MESSAGE
itself not being parsed? How can map the header level
field properly to the $LEVEL marco if I disable the
default parser?
Regards,
Max