Cisco IOS message format
Hi All, I am struggling to get syslog-ng to output the correct format for Cisco IOS devices. I am using syslog-ng to forward message to a NMS system. The issue I see is syslog-ng upon forwarding adds more data to the message as I am assuming it does not understand the Cisco IOS syslog format. Version of syslog-ng: Name : syslog-ng Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 9.el5 Build Date: Mon 16 May 2011 15:09:47 BST Install Date: Fri 21 Oct 2011 12:26:04 BST Build Host: x86-01.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-2.1.4-9.el5.src.rpm Cisco IOS statements: service timestamps log datetime msec localtime show-timezone logging trap notifications logging facility local6 Syslog format in the local file: Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by testuser on vty0 (1.2.3.4) Syslog-ng conf file: options { sync(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); check_hostname(yes); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes); }; template("$MSGONLY\n") When I perform a TCPDUMP and view the incoming message and then the forwarded message I can see that syslog-ng adds more data to the MESSAGE aspect of the syslog. Has anyone been able to create a filter or template that manages this format, so that the forwarding of the syslog onto another receiver is not changed as syslog-ng is adding the $DATE and $HOST to the message. Thanks in advance James _______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message without copying, using, or telling anyone about its contents. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. This message does not create or change any contract. Royal Bank of Canada and its subsidiaries accept no responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. RBC Capital Markets is a business name used by branches and subsidiaries of Royal Bank of Canada, including Royal Bank of Canada, London branch and RBC Europe Limited. In accordance with English law requirements, details regarding RBC Europe Limited are set out below: RBC EUROPE LIMITED Registered in England and Wales 995939 Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF. Authorised and regulated by the Financial Services Authority. Member of the London Stock Exchange.
Hi All, Can anyone assist with the issue below Thanks James
_____________________________________________ From: Wells, James Sent: 10 November 2011 11:25 To: 'syslog-ng@lists.balabit.hu.' Subject: Cisco IOS message format
Hi All,
I am struggling to get syslog-ng to output the correct format for Cisco IOS devices. I am using syslog-ng to forward message to a NMS system. The issue I see is syslog-ng upon forwarding adds more data to the message as I am assuming it does not understand the Cisco IOS syslog format.
Version of syslog-ng:
Name : syslog-ng Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 9.el5 Build Date: Mon 16 May 2011 15:09:47 BST Install Date: Fri 21 Oct 2011 12:26:04 BST Build Host: x86-01.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-2.1.4-9.el5.src.rpm
Cisco IOS statements:
service timestamps log datetime msec localtime show-timezone logging trap notifications logging facility local6
Syslog format in the local file:
Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by testuser on vty0 (1.2.3.4)
Syslog-ng conf file:
options {
sync(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); check_hostname(yes); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes);
};
template("$MSGONLY\n")
When I perform a TCPDUMP and view the incoming message and then the forwarded message I can see that syslog-ng adds more data to the MESSAGE aspect of the syslog.
Has anyone been able to create a filter or template that manages this format, so that the forwarding of the syslog onto another receiver is not changed as syslog-ng is adding the $DATE and $HOST to the message.
Thanks in advance James
_______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message without copying, using, or telling anyone about its contents. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. This message does not create or change any contract. Royal Bank of Canada and its subsidiaries accept no responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. RBC Capital Markets is a business name used by branches and subsidiaries of Royal Bank of Canada, including Royal Bank of Canada, London branch and RBC Europe Limited. In accordance with English law requirements, details regarding RBC Europe Limited are set out below: RBC EUROPE LIMITED Registered in England and Wales 995939 Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF. Authorised and regulated by the Financial Services Authority. Member of the London Stock Exchange.
Your problem is the non-standard (sort of) configuration of: service timestamps log datetime msec localtime show-timezone Cisco is adding the colon at the end of the date "Nov 10 10:18:44.102 UTC:" which is causing syslog-ng to misparse it. One easy workaround that will make your life easier (but might not be possible for other reasons) would be to turn off timestamps and use the $R_TIMESTAMP macro (double-check that name, I use $R_UNIXTIME) in syslog-ng to record the actual time of receipt. Another possibility is adding the no-parse flag to the source so that at least the message will be passed along verbatim. Lastly, you could write a regular expression to parse out the right information. Here's one that will probably work: filter f_rewrite_cisco_program { match('(%[^:]+): ([^\n]+)'' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); }; which should pull out the program (between % and :) and the message. On Tue, Nov 22, 2011 at 5:03 AM, Wells, James <James.Wells@rbccm.com> wrote:
Hi All,
Can anyone assist with the issue below
Thanks James
_____________________________________________ From: Wells, James Sent: 10 November 2011 11:25 To: 'syslog-ng@lists.balabit.hu.' Subject: Cisco IOS message format
Hi All,
I am struggling to get syslog-ng to output the correct format for Cisco IOS devices. I am using syslog-ng to forward message to a NMS system. The issue I see is syslog-ng upon forwarding adds more data to the message as I am assuming it does not understand the Cisco IOS syslog format.
Version of syslog-ng:
Name : syslog-ng Relocations: (not relocatable) Version : 2.1.4 Vendor: Fedora Project Release : 9.el5 Build Date: Mon 16 May 2011 15:09:47 BST Install Date: Fri 21 Oct 2011 12:26:04 BST Build Host: x86-01.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-2.1.4-9.el5.src.rpm
Cisco IOS statements:
service timestamps log datetime msec localtime show-timezone logging trap notifications logging facility local6
Syslog format in the local file:
Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by testuser on vty0 (1.2.3.4)
Syslog-ng conf file:
options {
sync(0); time_reopen(10); log_fifo_size(1000); long_hostnames(off); check_hostname(yes); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes);
};
template("$MSGONLY\n")
When I perform a TCPDUMP and view the incoming message and then the forwarded message I can see that syslog-ng adds more data to the MESSAGE aspect of the syslog.
Has anyone been able to create a filter or template that manages this format, so that the forwarding of the syslog onto another receiver is not changed as syslog-ng is adding the $DATE and $HOST to the message.
Thanks in advance James
_______________________________________________________________________
This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential.
Unauthorised use or disclosure is prohibited. If you receive this e-mail in error, please advise immediately and delete the original message without copying, using, or telling anyone about its contents.
This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message.
This message does not create or change any contract. Royal Bank of Canada and its subsidiaries accept no responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored.
RBC Capital Markets is a business name used by branches and subsidiaries of Royal Bank of Canada, including Royal Bank of Canada, London branch and RBC Europe Limited. In accordance with English law requirements, details regarding RBC Europe Limited are set out below:
RBC EUROPE LIMITED Registered in England and Wales 995939 Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF. Authorised and regulated by the Financial Services Authority. Member of the London Stock Exchange.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Martin Holste
-
Wells, James