Invalid parsing of syslog messages having timezone
Hi, Following is the syslog message received from Cisco router : *Mar 1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down. What should I include in the syslog-ng.conf so that time zone is ignored?
*RANT ON* cisco logging is the worst. For instance, the * at the beginning of the line indicates that the clock on the device is not synchronized with an external time clock. Great new cisco, but now it is not a valid time stamp! *RANT OFF* We use a pattern database to rewrite poor logs prior to doing anything else with the logs. There also is not a valid program name in this syslog line, so we take the %XXXX-N-YYYY: part of the line and turn it into a program name of cisco_XXXX One of our tansformed lines of the same kind looks like 2016-06-09T07:17:23-07:00 device.hostname.domain local7.notice cisco_LINEPROTO: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up If you are interested in this contact me off-list and I can provide the rewrite pattern database and the syslog-ng configuration snippet that uses it. We also have rewrites for netapp, ddn disk, zone minder, Intel True Scale switches and OpenManage Server Administrator. Evan. On 06/09/2016 02:59 AM, Nutan Shinde wrote:
Hi,
Following is the syslog message received from Cisco router :
*Mar 1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down.
What should I include in the syslog-ng.conf so that time zone is ignored?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel
Can you publish those publicly as well? Building something into syslog-ng to do this out of the box is also in my plans, and when I get there this info would be useful. Thanks On Jun 9, 2016 16:14, "Evan Rempel" <erempel@uvic.ca> wrote:
*RANT ON*
cisco logging is the worst. For instance, the * at the beginning of the line indicates that the clock on the device is not synchronized with an external time clock. Great new cisco, but now it is not a valid time stamp!
*RANT OFF*
We use a pattern database to rewrite poor logs prior to doing anything else with the logs. There also is not a valid program name in this syslog line, so we take the %XXXX-N-YYYY: part of the line and turn it into a program name of cisco_XXXX
One of our tansformed lines of the same kind looks like
2016-06-09T07:17:23-07:00 device.hostname.domain local7.notice cisco_LINEPROTO: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
If you are interested in this contact me off-list and I can provide the rewrite pattern database and the syslog-ng configuration snippet that uses it. We also have rewrites for netapp, ddn disk, zone minder, Intel True Scale switches and OpenManage Server Administrator.
Evan.
On 06/09/2016 02:59 AM, Nutan Shinde wrote:
Hi,
Following is the syslog message received from Cisco router :
*Mar 1 09:30:25.249 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
As, you can see UTC is included in the above timestamp. That is why value of $PROGRAM is UTC and $MSGONLY is %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down.
What should I include in the syslog-ng.conf so that time zone is ignored?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Evan Rempel
-
Nutan Shinde
-
Scheidler, Balázs