Hi Ciprian, Cisco logs have been known to ignore RFC3164 log format and therefore needs to be parsed specially. In syslog-ng there is a dedicated cisco-parser() to handle some known Cisco formats. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... Please don't forget to set "no-parse" flag. source { udp(flags(no-parse)); }; The problem with using a dedicated parser is that if you pass a log message with different format than the parser expects, the parsing result can be wrong, or some parser even drops the message. Therefore you need to route the different message formats on different channels to do parsing on. For convenience, there is a source driver called "default-network-driver()" which opens and listens on the common ports and formats and then it parses the message automatically based on some message characteristics, i.e. if it detects that a message has a cisco format, it parses it with cisco-parser(): Ports opened by default: * 514, both TCP and UDP, for RFC3164 (BSD-syslog) formatted traffic * 601 TCP, for RFC5424 (IETF-syslog) formatted traffic * 6514 TCP, for TLS-encrypted traffic Detailed documentation: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... Regards, Gabor ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of ciprian niculescu <cnicules@gmail.com> Sent: Tuesday, July 30, 2019 20:35 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] cisco templetes CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello, i'm building a syslog relay to collect and duplicate the flows to multiple destinations. but the relayed messages are strange looking. my source are cisco network devices (catalyst, nexus, asa) and i want to relay to a Solarwinds, Splunk and a linux-syslog for archiving. i search the net for a templete but found none. What i got so far is that the catalyst is sending in syslog bsd format, but with the relay configured to source bsd and destination bsd, the end message is different (the date is doubled, the relay add his IP) any help is appreciated. Regards, Ciprian ______________________________________________________________________________ Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=NfDwArjXF2rTuXIkXtUbE8tmsi095EkX5lgLn3EbFD0%3D&reserved=0 Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=4UJ8e%2FCy5qcLj%2BtY5jlDK9FA3yv0Md8im9BjfUxnbx0%3D&reserved=0 FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606860191&sdata=Cq0V%2F0nmydZ%2FOHcgY%2FHKaZuHnjoHh6grq%2BHYqX%2FgDEI%3D&reserved=0