patterndb and syslog from cisco
Hello, I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format: Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010 Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010 Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010 The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism. How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule. I have the same problem with switches from Alcatel... Regards, Yann I.
There are ways to enable and disable the message sequence numbering and other special components of the messages on the Cisco devices themselves. The numbers can be useful for finding out if your devices are dropping messages somewhere. But the more general solution is to send these to a source which has the flags(no-parse) set. Then you can parse out the interesting stuff using patterndb. Maybe Peter Czanik from Balabit can suggest where to find the latest patterns for Cisco devices. See this for details: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1- guide-admin-en.html/index.html-single.html#reference_source_tcpudp Good Luck, Matthew. On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
Hello,
I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format:
Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.
How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule.
I have the same problem with switches from Alcatel...
Regards,
Yann I.
-- Matthew Hall
Hi, AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner. Regards, Robert On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <mhall@mhcomputing.net> wrote:
There are ways to enable and disable the message sequence numbering and other special components of the messages on the Cisco devices themselves. The numbers can be useful for finding out if your devices are dropping messages somewhere.
But the more general solution is to send these to a source which has the flags(no-parse) set. Then you can parse out the interesting stuff using patterndb. Maybe Peter Czanik from Balabit can suggest where to find the latest patterns for Cisco devices.
See this for details:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1- guide-admin-en.html/index.html-single.html#reference_source_tcpudp
Good Luck, Matthew.
On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
Hello,
I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format:
Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.
How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule.
I have the same problem with switches from Alcatel...
Regards,
Yann I.
-- Matthew Hall ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello, Thanks for the answers. Currently, I'm using syslog-ng OSE 3.1.2. For that "problem", I created the following configuration : Configuration : source s_r_udp_cisco { udp ( ip(0.0.0.0) port(514) flags(no-parse) program_override("cisco_routeur") ); }; log { source (s_r_udp_cisco); parser (pattern_db_cisco); filter (...) -> Filter only on ".cisco.facility" for example etc. }; With the following "pattern_db_cisco" : <?xml version='1.0' encoding='UTF-8'?> <patterndb version='3' pub_date='2010-11-04'> <ruleset name='cisco_routeur' id='1:2:3:4'> <pattern>cisco_routeur</pattern> <rules> <rule provider='cisco' id='1:2:3:4:id001' class='system'> <patterns> <pattern>@QSTRING:.cisco.prio:<>@@ESTRING:.cisco.id::@ @ESTRING:.cisco.date:%@@ESTRING:.cisco.facility:-@ @ESTRING:.cisco.severity:-@@ESTRING:.cisco.mnemonic::@@ANYSTRING:.cisco.message-text:@ </pattern> </patterns> </rule> </rules> </ruleset> </patterndb> and... it's working ! But now, I should use another UDP port (which should be another value than 514) because of the option "flags(no-parse)". Indeed, I have some issues when another devices send logs to the syslog-ng server. Thank you :-) Regards, Yann I. 2010/11/3 Fekete Róbert <frobert@balabit.hu>
Hi,
AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.
Regards, Robert
On Wednesday, November 03, 2010 17:40 CET, Matthew Hall < mhall@mhcomputing.net> wrote:
There are ways to enable and disable the message sequence numbering and other special components of the messages on the Cisco devices themselves. The numbers can be useful for finding out if your devices are dropping messages somewhere.
But the more general solution is to send these to a source which has the flags(no-parse) set. Then you can parse out the interesting stuff using patterndb. Maybe Peter Czanik from Balabit can suggest where to find the latest patterns for Cisco devices.
See this for details:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1- guide-admin-en.html/index.html-single.html#reference_source_tcpudp
Good Luck, Matthew.
On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
Hello,
I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format:
Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.
How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule.
I have the same problem with switches from Alcatel...
Regards,
Yann I.
-- Matthew Hall
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2010-11-03 at 20:28 +0100, Fekete Róbert wrote:
Hi,
AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.
not yet, I've went as far as checking out the differences I'd need to port, but looking at the 250+ patches, I got frightened and at the end I didn't yet do anything. But anyway, syslog-ng PE 4.1 will be based on syslog-ng OSE 3.3 core, so synchronization problems like this would a problem of the past hopefully. (we're expecting 4.1 around next may). -- Bazsi
Thanks for your answers. I'm using the patterndb mecanism to solve my problem. Regards, Yann I 2010/11/14 Balazs Scheidler <bazsi@balabit.hu>
On Wed, 2010-11-03 at 20:28 +0100, Fekete Róbert wrote:
Hi,
AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.
not yet, I've went as far as checking out the differences I'd need to port, but looking at the 250+ patches, I got frightened and at the end I didn't yet do anything.
But anyway, syslog-ng PE 4.1 will be based on syslog-ng OSE 3.3 core, so synchronization problems like this would a problem of the past hopefully. (we're expecting 4.1 around next may).
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (5)
-
Balazs Scheidler
-
Fekete Róbert
-
Matthew Hall
-
Yann Forum
-
Yann I.