[syslog-ng]Cisco CSS Logging

Nate Campi syslog-ng@lists.balabit.hu
Wed, 18 Feb 2004 15:23:35 -0800

On Wed, Feb 18, 2004 at 05:55:26PM -0500, Gary.Metelitsa@us.hsbc.Com wrote:
> Here are some syslog message examples and a snoop I ran:
> CSS syslog-ng message:
> 2004.02.18 17:32:05 7 local7 info 7264 NETMAN-6: CLMcmd: sho run service
> ,gmetelitsa@local
> Router syslog-ng message:
> 2004.02.18 17:37:07 NYPRRT10 local7 info 1354469: SLOT 1:Feb 18
> 17:37:05.268 EST: %SEC-6-IPACCESSLOGP: list 112 denied tcp ->
> When I snoop the line I get this: I didn't include the IP header and UDP
> header as I don't think its pertinent.
> CSS syslog payload message:
> SYSLOG:  "<190>FEB 18 11:04:23 7/1 7187 NETMAN-6: CLMcmd: show run own"
> Router payload message:
> SYSLOG:  "<190>1341226: SLOT 1:Feb 18 11:12:43.016 EST: %SEC-6-IPACCES"
> The payload does not contain the source IP address for either the CSS or
> for a router, however, syslog-ng gets the source address/hostname of the
> router but not the CSS.  Also, I see that
> the message payload structure is quite different between a router and CSS.

syslog-ng makes a best guess about the fields of incoming syslog
messages, but sometimes guesses wrong. syslog messages are different,
depending on the source. See:



You should show how syslog-ng is recording the messages to your logfiles
(assuming you're logging to files) and it'll be absolutely clear. My
guess is that syslog-ng thinks that "7/1" is the hostname, or something
like that. I've had similar problems:


..and the fix:


The "bad_hostname()" feature will help. See this example syslog-ng.conf
for example usage:



"Reader, suppose you were an idiot. And suppose you were a member of 
Congress. But I repeat myself." - Samuel Clemens