[syslog-ng] Syslog-NG interpreting Cisco message 'count'numberas $Program

Clayton Dukes cdukes at gmail.com
Thu Oct 22 00:06:36 CEST 2009 

Not that this helps, but your timestamps aren't configured on that switch :-)
If you're using the latest version of php-syslog-ng (2.9.9x) then you
can tell it to skip showing the sequence numbers in the config.php
file.
Also, the new version allows you to rewrite fields in the db_insert.pl
script so you could leave them off alltogether if you wanted to.
If you need help with php-syslog-ng just let me know - it's my project :-)


On Wed, Oct 21, 2009 at 5:52 PM, Patrick Smith <patrick at paypros.com> wrote:
> If I can't stop the switches from sending it then I'll just make additional source/destination statement to deal with them and leave the $program part out.  I do find it handy when searching through logs directly on the filesystem to have them broken down by origin (snmp or wherever).  I haven't started piping them to my new php-syslog-ng install but I'm sure in the present format I'd flood the Program fields with those numbers in the current state.
>
> I am sure the sequence/count numbers are coming from the switches.  Tcpdump shows a Msg number which matches the number prepended on the file.
>
> tcpdump -nvv host 2960switch04
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 14:44:32.013692 IP (tos 0x0, ttl 254, id 69, offset 0, flags [none], proto: UDP (17), length: 131) <src_ip>.57127 > <syslog-ng host ip>.syslog: SYSLOG, length: 103
>        Facility local7 (23), Severity notice (5)
>        Msg: 119: 1d04h: %LINK-5-CHANGED: Interface GigabitEth[|syslog]
>
> Results in a file on the syslog-ng server called 119-2009-10-21.log
>
> Thanks for your time,
> Patrick
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
> Sent: Wednesday, October 21, 2009 2:30 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message 'count'numberas $Program
>
> Hmm, then I'm not sure...maybe one of the other guru's on here will
> have some input :-)
> Have you tried not using the program field or do you really need it?
>
>
> On Wed, Oct 21, 2009 at 5:06 PM, Patrick Smith <patrick at paypros.com> wrote:
>> Thought that might be it but doesn't seem to be.  The sequence number is not present in the logs sent to the console or the buffer and not present when I open the files that are created on the syslog-ng side.  They are only present in the filename that gets created for logs coming from the Cisco switches.
>>
>> I tried the 'no service sequence-numbers' on one of the access switches to be sure and did a shut/no shut on an unused port.  Still logged the same way on the syslog-ng server.
>>
>> Patrick Smith | Systems Administrator | Payment Processing, Inc.
>> 604.609.0619 x7023 ofc | 604.609.0619 fx
>> www.paypros.com
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
>> Sent: Wednesday, October 21, 2009 1:08 PM
>> To: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message 'count' numberas $Program
>>
>> Those are sequence numbers - you can disable them on the switch by
>> typing "no service sequence-numbers" in global config mode.
>>
>>
>> On Wed, Oct 21, 2009 at 4:01 PM, Patrick Smith <patrick at paypros.com> wrote:
>>> Hi all, wondering if anyone is familiar with this issue.  Have several Cisco
>>> switches logging to a syslog-ng server.  The syslog-ng server creates a new
>>> file for every message as it is interpreting the 'count' item added by the
>>> switch as the $program.  My configs as follows to demonstrate what I mean:
>>>
>>>
>>>
>>> Syslog-ng.conf:
>>>
>>>
>>>
>>> destination d_all {
>>>
>>>         file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
>>>
>>> };
>>>
>>>
>>>
>>> This has always worked for me before and creates logs for each host with the
>>> program prefixed (e.g. snmp-date..., ssl_access_log-date...)
>>>
>>>
>>>
>>> But for Cisco switches it writes a new logfile for every message, with the
>>> Cisco message number (i.e. log count #) prepended.  E.g., for a 6509 switch:
>>>
>>>
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
>>>
>>> * where 16551xx is the count of the log message on the switch
>>>
>>>
>>>
>>> And each of those files contains one log message, e.g.
>>>
>>>
>>>
>>> syslog-ng # cat 1655156-2009-10-21.log
>>>
>>> Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922: %LINK-5-CHANGED:
>>> Interface GigabitEthernet3/35, changed state to administratively down
>>>
>>>
>>>
>>> For reference the logging on the switches are set as:
>>>
>>> 6509s:
>>>
>>> service timestamps log datetime msec
>>>
>>> logging buffered 20000 debugging
>>>
>>> logging rate-limit 1000
>>>
>>> log-adjacency-changes
>>>
>>> logging <syslog host IP>
>>>
>>> logging synchronous
>>>
>>>
>>>
>>> 2960s:
>>>
>>> service timestamps log uptime
>>>
>>> logging buffered 20000
>>>
>>> logging <syslog host IP>
>>>
>>> logging synchronous
>>>
>>>
>>>
>>> I'm thinking I could have a separate destination statement to properly deal
>>> with these but I'm wondering if there's any other steps I can take to
>>> mitigate it.  I have several Cisco firewalls logging to syslog-ng and they
>>> do not have the same issue.
>>>
>>>
>>>
>>> Thanks for any help.
>>>
>>>
>>>
>>> IMPORTANT NOTICE
>>>
>>> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are
>>> proprietary and confidential information intended only for the use of the
>>> recipient(s) named above. If you are not the intended recipient, you may not
>>> print, distribute, or copy this message or any attachments. If you have
>>> received this communication in error, please notify the sender by return
>>> e-mail and delete this message and any attachments from your computer. Learn
>>> more about Payment Processing's services at www.paypros.com.
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>>
>>
>> --
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>> IMPORTANT NOTICE
>>
>> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> IMPORTANT NOTICE
>
> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>



-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________

More information about the syslog-ng mailing list