On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <
mhall@mhcomputing.net> wrote:
> There are ways to enable and disable the message sequence numbering
> and other special components of the messages on the Cisco devices
> themselves. The numbers can be useful for finding out if your devices are
> dropping messages somewhere.
>
> But the more general solution is to send these to a source which has the
> flags(no-parse) set. Then you can parse out the interesting stuff using
> patterndb. Maybe Peter Czanik from Balabit can suggest where to find the
> latest patterns for Cisco devices.
>
> See this for details:
>
>
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-
> guide-admin-en.html/index.html-single.html#reference_source_tcpudp
>
> Good Luck,
> Matthew.
>
> On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
> > Hello,
> >
> >
> >
> > I'm writing patterndb.xml files to filter syslog messages from servers
> > and CISCO routers. Currently, CISCO sends syslog with that format:
> >
> >
> >
> > Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
> >
> > Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
> >
> > Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
> >
> >
> >
> > The problem comes from the program name which changes for each
> message:
> > 36779, 36780, 36781, etc. For this reason, I can't use patterndb
> > mechanism.
> >
> > How may I solve my problem? I think it's not allowed to change the
> > program name with the "rewrite" rule.
> >
> > I have the same problem with switches from Alcatel...
> >
> >
> >
> > Regards,
> >
> >
> >
> > Yann I.
>
> --
> Matthew Hall