[syslog-ng] Cisco Catalyst switches
Evan Rempel
erempel at uvic.ca
Fri Dec 14 23:12:12 CET 2007
Really Cisco should update their gear to send properly formated syslog messages.
The leading number is an event number, which will be an ever incrementing number.
This was done because standard syslog does not support fine enough timestamps (miliseceonds)
and standard syslog does not guarantee the order of messages, and because the Cisco
gear can generate hundreds of messages per second. Given all of this, getting the events
in the correct order was near impossible, so Cisco added the event number, hwever, they added
it in the wrong location and screwed up the syslog message format.
Evan.
Charles Mattair wrote:
> We've recently started getting traffic from catalyst switches and
> it doesn't parse well.
>
> The start of a message looks like:
> 445750: Dec 14 11:23:27: %SW_MATM-4-MACFLAP_NOTIF: Host 0201.0000.0000 in v...
>
> The event id (445750) looks like a program id (the parser sees everything
> else as missing) and the date becomes part of the message text.
>
> Are there any plans to "teach" the parser to recognize this format? We
> noticed it recognizes PIX formats with a colon following the date so it
> doesn't seem too out of line. If there aren't, we'll generate mods and
> submit them.
>
More information about the syslog-ng
mailing list