-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I use the following to set the program name to the so called mnemonic: filter f_rewrite_cisco_program { match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); }; But Martin from ELSA Project has a more sophisticated way to match the different types of timestamps included in the cisco message (it depends on your log timestamp configuration): filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; filter f_rewrite_cisco_program_4 { match('^\d{6}: [\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3) or filter(f_rewrite_cisco_program_4))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3) or filter(f_rewrite_cisco_program_4))); }; hope it helps, regards, Tom On 12.10.2012 21:34, Sébastien Pasche wrote:

On 10/12/2012 06:04 PM, Evan Rempel wrote:

...

Does anyone have a pre build set of patterns/rewrite rule to rewrite all cisco logs into something that is a little more compliant?

...

We are trying to use a master pattern database to identify/classify messages, but the cisco logs don't have usable "program names" so the pattern database can't even get started :-(

...

Thanks for any pointers.

Hello :)

What I usually do is to filter with something like that :

filter ciscoIos { facility(local7) or (program("%PIX-[^-]+-[^-]+") or program("%ASA-[^-]+-[^-]+") or program("%FWSM-[^-]+-[^-]+")); };

then I send log back to 127.0.0.1 with cisco as program name and specifying the message field.

rewrite rs_cisco { set('$PROGRAM: $MESSAGE' value("MESSAGE")); set("cisco" value("PROGRAM")); };

Hope that help you..

Seb

______________________________________________________________________________

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng

Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iD8DBQFQeHL1TCCRT+dccOYRAmKDAKDMZZ3NketEY94PN+CX2J5pa+vMkgCgo5PW GJROwdt07tKPljTiRNiaMTs= =LJfS -----END PGP SIGNATURE-----