Tool to determine facility and severity from syslog packets
Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line. Along the same lines it would be sweet if there was a way to rewrite the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this. Any info would be greatly appreciated. Thanks Justin
probably with the sniffer from ethereal.com regards, hb
Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line.
Along the same lines it would be sweet if there was a way to rewrite the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this.
Any info would be greatly appreciated. Thanks
Justin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Heiko@Blume.AG Cisco Certified Network Professional Cisco Certified Design Professional Juniper Certified Internet Specialist SUN Certified System Administrator Office: +49.30/4426309 FAX: +49.30/48494354 Mobile: +49.178/6662342 www: http://www.blume.ag/IT/ PHY: Knaackstrasse 6, 10405 Berlin, DE
Hi, Heiko Blume <Heiko@Blume.AG> [20061205 10:32:19 +0100]:
probably with the sniffer from ethereal.com
I would be more inclinded to use a Perl module: http://search.cpan.org/~sparsons/Net-Dev-Syslog-0.8.0/Syslog.pm It will create a mini-syslog server, decode the packets for you and then it would be trivial, if you know perl, to re-inject them with the same module or a different one: http://search.cpan.org/~saper/Sys-Syslog-0.18/Syslog.pm If you do not know perl you probably will find this is a nice mini-project to introduce you to the language. Its damn handy to be able to throw together a quick hack script to do jobs like this; means you no longer have to rely on the hope that someone else has done this already otherwise you would be out of options. The problem you are going to run into is that you have to have effectively a syslog proxy on another machine, or a second IP bound to your syslog core server. You cannot have this 'rewriter' and syslog-ng on the same box as both will be trying to listen on the same port; well you could pick different IP's for them to bind to though. By the sounds of it you really want to create a syslog-ng filter that has a list of IP's and hardcode in the facility and extract the severity there. To be honest if the facility is fixed then really there is no information you can extract that you could not determine "well it came from this IP therefore it has the *fixed* facility xyz". As for severity, its probably worth just grepping for keywords in the message for what you are looking for anyway. Thats where programs like swatch can help. Of course I might have missed completely what you are trying to accomplish, if so give a few more details and I'll try to help. Cheers Alex
regards, hb
Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line.
Along the same lines it would be sweet if there was a way to rewrite the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this.
Any info would be greatly appreciated. Thanks
Justin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Heiko@Blume.AG
Cisco Certified Network Professional Cisco Certified Design Professional Juniper Certified Internet Specialist SUN Certified System Administrator
Office: +49.30/4426309 FAX: +49.30/48494354 Mobile: +49.178/6662342 www: http://www.blume.ag/IT/ PHY: Knaackstrasse 6, 10405 Berlin, DE
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Isn't that good for you, if you write a syslog-ng tamplate using these macros?: FACILITY The name of the facility from where the message originates. PRIORITY or LEVEL The priority of the message. TAG The priority and facility encoded as a 2 digit hexadecimal number. PRI The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages. So if you log everything into one file with the facility/priority placed in the message this way (using a template), then you can determine the facility of your devices. (I'm sure you can recognize the messages sent by the devices, so you can distinguish them from each other.) Balazs -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Justin Shore Sent: Tuesday, December 05, 2006 4:55 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Tool to determine facility and severity from syslogpackets Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line. Along the same lines it would be sweet if there was a way to rewrite the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this. Any info would be greatly appreciated. Thanks Justin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Alexander Clouter
-
Heiko Blume
-
Justin Shore
-
Szeti, Balazs