[syslog-ng]Cisco CSS Logging

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Wed, 18 Feb 2004 17:55:26 -0500 

Here are some syslog message examples and a snoop I ran:

CSS syslog-ng message:
2004.02.18 17:32:05 7 local7 info 7264 NETMAN-6: CLMcmd: sho run service
,gmetelitsa@local
Router syslog-ng message:
2004.02.18 17:37:07 NYPRRT10 local7 info 1354469: SLOT 1:Feb 18
17:37:05.268 EST: %SEC-6-IPACCESSLOGP: list 112 denied tcp 127.0.0.1(80) ->
205.241.15.99

When I snoop the line I get this: I didn't include the IP header and UDP
header as I don't think its pertinent.
CSS syslog payload message:
SYSLOG:  "<190>FEB 18 11:04:23 7/1 7187 NETMAN-6: CLMcmd: show run own"
Router payload message:
SYSLOG:  "<190>1341226: SLOT 1:Feb 18 11:12:43.016 EST: %SEC-6-IPACCES"

The payload does not contain the source IP address for either the CSS or
for a router, however, syslog-ng gets the source address/hostname of the
router but not the CSS.  Also, I see that
the message payload structure is quite different between a router and CSS.





Nate Campi <nate@campin.net>@lists.balabit.hu on 18 Feb 2004 15:04

Please respond to syslog-ng@lists.balabit.hu

Sent by:    syslog-ng-admin@lists.balabit.hu




To:    syslog-ng@lists.balabit.hu
Subject:    Re: [syslog-ng]Cisco CSS Logging

****************************************************************************

 This message originated from the Internet.  Its originator may or
 may not be who they claim to be and the information contained in
 the message and any attachments may or may not be accurate.
****************************************************************************



On Wed, Feb 18, 2004 at 01:21:19PM -0500, Gary.Metelitsa@us.hsbc.Com wrote:
> I'm running syslog-ng 1.6.0rc.1 It is not able to pick up the IP address
> coming from a Cisco Content Switch (formerly Arrowpoint) generated syslog
> message.  All other routers and switches have their ip address.  Regular
> syslog picks up the IP address field.  Has anyone come across this?

Gary,

Please supply a log example, I'm not sure what you mean.
--
Nate

IMHO one should have to pass a test on DNS before publishing a CNAME. ;)
 - Greg White

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html











************************************************************************
 This E-mail is confidential. It may also be legally privileged. If you
 are not the addressee you may not copy, forward, disclose or use any
 part of it. If you have received this message in error, please delete
 it and all copies from your system and notify the sender immediately
 by return E-mail.

 Internet communications cannot be guaranteed to be timely, secure,
 error or virus-free. The sender does not accept liability for any
 errors or omissions.
************************************************************************