Hi Ciprian,

Cisco logs have been known to ignore RFC3164 log format and therefore needs to be parsed specially.

In syslog-ng there is a dedicated cisco-parser() to handle some known Cisco formats.
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/72#TOPIC-1209348
Please don't forget to set "no-parse" flag. 
  source { udp(flags(no-parse)); };

The problem with using a dedicated parser is that if you pass a log message with different format than the parser expects, 
the parsing result can be wrong, or some parser even drops the message.
Therefore you need to route the different message formats on different channels to do parsing on.

For convenience, there is a source driver called "default-network-driver()" which opens and listens on the common ports and formats and then 
it parses the message automatically based on some message characteristics, i.e. if it detects that a message has a cisco format, it parses it with cisco-parser():
Ports opened by default:
Detailed documentation:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/17#TOPIC-1209127

Regards,
Gabor
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of ciprian niculescu <cnicules@gmail.com>
Sent: Tuesday, July 30, 2019 20:35
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] cisco templetes
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hello,

i'm building a syslog relay to collect and duplicate the flows to
multiple destinations.
but the relayed messages are strange looking.
my source are cisco network devices (catalyst, nexus, asa) and i want
to relay to a Solarwinds, Splunk and a linux-syslog for archiving.

i search the net for a templete but found none.
What i got so far is that the catalyst is sending in syslog bsd
format, but with the relay configured to source bsd and destination
bsd, the end message is different (the date is doubled, the relay add
his IP)

any help is appreciated.

Regards,

Ciprian
______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&amp;data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&amp;sdata=NfDwArjXF2rTuXIkXtUbE8tmsi095EkX5lgLn3EbFD0%3D&amp;reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&amp;data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&amp;sdata=4UJ8e%2FCy5qcLj%2BtY5jlDK9FA3yv0Md8im9BjfUxnbx0%3D&amp;reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&amp;data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606860191&amp;sdata=Cq0V%2F0nmydZ%2FOHcgY%2FHKaZuHnjoHh6grq%2BHYqX%2FgDEI%3D&amp;reserved=0