Hello Community,
Thank you all for your help regarding this issue reported.
We finally concluded that Cisco devide is sending the log in two different lines.
Now we have a new situation regarding the syslog-ng configuration file:
- A patch had to be created in order to concat the log.
- The logs that arrive to the server with syslog-ng come like this:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
Mar 13 10:33:14 PE06PVAL01 1182435: received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D
- The patch concats the log and generates a new line that is inserted into the same cisco log file:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D
- This new line that has the whole log line is sent to another server (let us call it Server X) with a syslog-ng tool running
- On server X, i get these two log lines:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D
The question is:
Is there a way to configure the syslog-ng in Server X so that:
- Discards the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS label (1)"
- Accepts the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix"
- Accepts all other logs
The syslog-ng configuration file on Server X is the following:
> cat /etc/syslog-ng.conf
#@version: 3.0
# syslog-ng configuration file for the server.
#
# See syslog-ng(8) and syslog-ng.conf(8) for more information.
#
options { flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
long_hostnames (off);
use_dns (yes);
create_dirs (yes);
keep_hostname (yes);
};
# Client Source
source s_local { internal(); };
source s_syslog_udp { udp(port(514)); };
# Server Source
source s_juniper_tcp { tcp(port(1001) keep-alive(yes)); };
source s_cisco_tcp { tcp(port(1002) keep-alive(yes)); };
# Client Destination
destination d_local { file("/var/adm/syslog/syslog-ng.log"); };
destination d_juniper_tcp { file("/var/adm/syslog/juniper.log"); };
destination d_cisco_tcp { file("/var/adm/syslog/cisco.log"); };
# Server Destination
destination d_syslog { file("/var/adm/syslog/syslog.log"); };
destination d_mail { file("/var/adm/syslog/mail.log"); };
# Server Filter
filter f_mail { facility(mail) and level(debug .. emerg); };
filter f_syslog { level(info .. emerg) and not facility(mail) and not program(syslog-ng); };
filter f_syslog-ng { program(syslog-ng); };
# Client Log
log { source(s_local); destination(d_local); destination(d_syslog); };
log { source(s_syslog_udp); destination(d_syslog); };
# Server Log
log { source(s_local); filter(f_syslog-ng); destination(d_syslog); };
log { source(s_local); filter(f_mail); destination(d_mail); };
log { source(s_local); filter(f_syslog); destination(d_syslog); };
log { source(s_juniper_tcp); destination(d_juniper_tcp); };
log { source(s_cisco_tcp); destination(d_cisco_tcp); };
Thank you so much for your help.
Best regards,
Alan