Hello Gyu,

What would you patch?
Do you think that is that neccessary?

The patch that has already been installed and what it does is the following:
- Look for the logs that contain this String "%BGP-3-INVALID_MPLS: Invalid MPLS label (1)" in the cisco.log file. For example, this could be one match: "Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)"

- Look for the corresponding next line for the line found in the step before. For example, this is the log line for the log mentioned before: "Mar 13 10:33:14 PE06PVAL01 1182435:          received in update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X"
- Generate a new line and print it in the cisco.log file. For the example, the new line would be: "Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X"
- The syslog-ng running on the Server A will send the complete line to another server (Server B) who is listening to all logs coming from Server A

Yes, I do think it was necessary.


How urgent is this log concatenation project for you?
For the time being the patch is working well. However, i still need to implement the filter in syslog-ng on Server B so that the line is discarded: Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
 And this line is accepted:
 Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix 16629:1735:A.B.C.D/24 from X.X.X.X"

It is not urgent. However, if you could tell me how to configure the filter in Syslog-ng; i would greatly appreciate it.


Some extra question: How extreme is the line breaking? Your log example was
the first I saw. (However, I did not configured bgp on cisco yet, I usually
worked with rip, when we needed dynamic routing. I worked with "internal"
networks, and did not worked with border gateways)

I understand that the line breaking is NOT extreme. Besides, this problem happens for only ONE log out of all the logs that arrive to the Syslog-ng server



So, In your example the one log was splitted into two lines.
Is that possible, that it can splitted into more lines?

It could be splitted into more lines. Nonetheless, what i need is to generate a single line which i was already able to do by running the patch we created.



Thank you so much for your help and attention.

Best regards,
Alan


On Tue, May 19, 2015 at 5:01 AM, PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu> wrote:
Hello Alan,

"Alan Sam" <samsiu.a@gmail.com> írta 2015-05-18 16:26-kor:
> Now we have a new situation regarding the syslog-ng configuration file:
>
> - A patch had to be created in order to concat the log.

What would you patch?
Do you think that is that neccessary?

As I already wrote: I think, it can be solved with some smart patterndb
rule.
I already collected some types of cisco logs, since I worked with many
Cisco devices earlier, and I know they are not to strict following any rule
or rfc about logging.
So, I think the ultimate weapon is patterndb, and as soon as I will have
free time, I will create patterndb for cisco devices.

But I can not promise you a deadline.

How urgent is this log concatenation project for you?

Some extra question: How extreme is the line breaking? Your log example was
the first I saw. (However, I did not configured bgp on cisco yet, I usually
worked with rip, when we needed dynamic routing. I worked with "internal"
networks, and did not worked with border gateways)
So, In your example the one log was splitted into two lines.
Is that possible, that it can splitted into more lines?

Kind regards,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq