*RANT ON*

cisco logging is the worst. For instance, the * at the beginning of the line indicates that the clock on the device is not synchronized with an external time clock. Great new cisco, but now it is not a valid time stamp!

*RANT OFF*

We use a pattern database to rewrite poor logs prior to doing anything else with the logs.
There also is not a valid program name in this syslog line, so we take the %XXXX-N-YYYY: part of the line and turn it into a program name of cisco_XXXX

One of our tansformed lines of the same kind looks like

2016-06-09T07:17:23-07:00 device.hostname.domain local7.notice cisco_LINEPROTO: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up

If you are interested in this contact me off-list and I can provide the rewrite pattern database and the syslog-ng configuration snippet that uses it.
We also have rewrites for netapp, ddn disk, zone minder, Intel True Scale switches and OpenManage Server Administrator.

Evan.

On 06/09/2016 02:59 AM, Nutan Shinde wrote:

Hi,

Following is the syslog message received from Cisco router :

*Mar 1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down

As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down.

What should I include in the syslog-ng.conf so that time zone is ignored?
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- 
Evan Rempel