[syslog-ng]Cisco CSS Logging

[Nate Campi]

On Wed, Feb 18, 2004 at 05:55:26PM -0500, Gary.Metelitsa@us.hsbc.Com wrote:
> 
> Here are some syslog message examples and a snoop I ran:
> 
> CSS syslog-ng message:
> 2004.02.18 17:32:05 7 local7 info 7264 NETMAN-6: CLMcmd: sho run service
> ,gmetelitsa@local
> Router syslog-ng message:
> 2004.02.18 17:37:07 NYPRRT10 local7 info 1354469: SLOT 1:Feb 18
> 17:37:05.268 EST: %SEC-6-IPACCESSLOGP: list 112 denied tcp 127.0.0.1(80) ->
> 205.241.15.99
> 
> When I snoop the line I get this: I didn't include the IP header and UDP
> header as I don't think its pertinent.
> CSS syslog payload message:
> SYSLOG:  "<190>FEB 18 11:04:23 7/1 7187 NETMAN-6: CLMcmd: show run own"
> Router payload message:
> SYSLOG:  "<190>1341226: SLOT 1:Feb 18 11:12:43.016 EST: %SEC-6-IPACCES"
> 
> The payload does not contain the source IP address for either the CSS or
> for a router, however, syslog-ng gets the source address/hostname of the
> router but not the CSS.  Also, I see that
> the message payload structure is quite different between a router and CSS.

syslog-ng makes a best guess about the fields of incoming syslog
messages, but sometimes guesses wrong. syslog messages are different,
depending on the source. See:

 http://lists.jammed.com/loganalysis/2002/01/0021.html

 http://www.faqs.org/rfcs/rfc3164.html

You should show how syslog-ng is recording the messages to your logfiles
(assuming you're logging to files) and it'll be absolutely clear. My
guess is that syslog-ng thinks that "7/1" is the hostname, or something
like that. I've had similar problems:

 https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004334.html

..and the fix:

 https://lists.balabit.hu/pipermail/syslog-ng/2003-January/004412.html

The "bad_hostname()" feature will help. See this example syslog-ng.conf
for example usage:

 http://www.campin.net/syslog-ng/solaris-conf.txt

-- 
Nate

"Reader, suppose you were an idiot. And suppose you were a member of 
Congress. But I repeat myself." - Samuel Clemens