*RANT ON* cisco logging is the worst. For instance, the * at the beginning of the line indicates that the clock on the device is not synchronized with an external time clock. Great new cisco, but now it is not a valid time stamp! *RANT OFF* We use a pattern database to rewrite poor logs prior to doing anything else with the logs. There also is not a valid program name in this syslog line, so we take the %XXXX-N-YYYY: part of the line and turn it into a program name of cisco_XXXX One of our tansformed lines of the same kind looks like 2016-06-09T07:17:23-07:00 device.hostname.domain local7.notice cisco_LINEPROTO: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up If you are interested in this contact me off-list and I can provide the rewrite pattern database and the syslog-ng configuration snippet that uses it. We also have rewrites for netapp, ddn disk, zone minder, Intel True Scale switches and OpenManage Server Administrator. Evan. On 06/09/2016 02:59 AM, Nutan Shinde wrote:
Hi,
Following is the syslog message received from Cisco router :
*Mar 1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down.
What should I include in the syslog-ng.conf so that time zone is ignored?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel