[syslog-ng] Syslog-NG interpreting Cisco message'count'numberas $Program
Clayton Dukes
cdukes at gmail.com
Fri Oct 30 15:21:48 CET 2009
I'm not a syslog-ng expert, but:
netmask(192.168.10.9)
You can use wildcards (or regex) here, also, shouldn't that be host and not
netmask?
On Fri, Oct 30, 2009 at 12:14 AM, Patrick Smith <patrick at paypros.com> wrote:
> Now that my mysql pipe issues are sorted out thought I'd post back with my
> hackaround for this issue. I did find an old post with an explanation as to
> where the numbers come from:
> https://lists.balabit.hu/pipermail/syslog-ng/2007-December/011057.html
> So, trusting that is true, they are event numbers, not count or sequence
> numbers. I haven't found any documentation on event numbers yet, maybe it's
> just another term for sequence numbers, but if that were the case I should
> have been able to turn them off.
>
> Don't have a lot of time to look for a better fix so for now I just did the
> following, if it helps anyone.
>
> # Local file destination sorted by host, program
> destination d_localfiles {
> file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
> };
>
> # Local file destination sorted by host, program (currently only used by
> Cisco switches)
> destination d_localfiles-noProgram {
> file("/var/log/syslog-ng/$HOST/$YEAR-$MONTH-$DAY.log");
> };
>
> # Filter listing all cisco switches (could be a pain to manage in large
> environments)
> filter f_ciscosw { netmask(192.168.10.8) or
> netmask(192.168.10.9) or
> netmask(192.168.10.10) or
> netmask(192.168.10.11) or
> netmask(192.168.10.12) or
> netmask(192.168.10.13) or
> netmask(192.168.10.12) or
> netmask(192.168.10.24); };
>
> # Filter for all other hosts
> filter f_allsystem {
> facility(local0,local1,local2,local3,local4,local5,local6,local7) and not
> filter(f_ciscosw); };
>
> # Pipe to mysql, putting Cisco switch messages through same pipe seems to
> work fine. i.e.does not write the event number in the program field. *
> Pipe is the default used in the logzilla 2.9.9n wiki install guide)
> log { source(s_remote); filter(f_allsystem); destination(d_mysql); };
> log { source(s_remote); filter(f_ciscosw); destination(d_mysql); };
>
> # Log declarations, one for Cisco switches, the other for everything else.
> log { source(s_remote); filter(f_allsystem); destination(d_localfiles); };
> log { source(s_remote); filter(f_ciscosw);
> destination(d_localfiles-noProgram); };
>
> Cheers.
>
> ________________________________
>
> From: syslog-ng-bounces at lists.balabit.hu on behalf of Clayton Dukes
> Sent: Wed 10/21/2009 3:06 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco
> message'count'numberas $Program
>
>
>
> Not that this helps, but your timestamps aren't configured on that switch
> :-)
> If you're using the latest version of php-syslog-ng (2.9.9x) then you
> can tell it to skip showing the sequence numbers in the config.php
> file.
> Also, the new version allows you to rewrite fields in the db_insert.pl
> script so you could leave them off alltogether if you wanted to.
> If you need help with php-syslog-ng just let me know - it's my project :-)
>
>
> On Wed, Oct 21, 2009 at 5:52 PM, Patrick Smith <patrick at paypros.com>
> wrote:
> > If I can't stop the switches from sending it then I'll just make
> additional source/destination statement to deal with them and leave the
> $program part out. I do find it handy when searching through logs directly
> on the filesystem to have them broken down by origin (snmp or wherever). I
> haven't started piping them to my new php-syslog-ng install but I'm sure in
> the present format I'd flood the Program fields with those numbers in the
> current state.
> >
> > I am sure the sequence/count numbers are coming from the switches.
> Tcpdump shows a Msg number which matches the number prepended on the file.
> >
> > tcpdump -nvv host 2960switch04
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
> bytes
> > 14:44:32.013692 IP (tos 0x0, ttl 254, id 69, offset 0, flags [none],
> proto: UDP (17), length: 131) <src_ip>.57127 > <syslog-ng host ip>.syslog:
> SYSLOG, length: 103
> > Facility local7 (23), Severity notice (5)
> > Msg: 119: 1d04h: %LINK-5-CHANGED: Interface GigabitEth[|syslog]
> >
> > Results in a file on the syslog-ng server called 119-2009-10-21.log
> >
> > Thanks for your time,
> > Patrick
> >
> >
> > -----Original Message-----
> > From: syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
> > Sent: Wednesday, October 21, 2009 2:30 PM
> > To: Syslog-ng users' and developers' mailing list
> > Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message
> 'count'numberas $Program
> >
> > Hmm, then I'm not sure...maybe one of the other guru's on here will
> > have some input :-)
> > Have you tried not using the program field or do you really need it?
> >
> >
> > On Wed, Oct 21, 2009 at 5:06 PM, Patrick Smith <patrick at paypros.com>
> wrote:
> >> Thought that might be it but doesn't seem to be. The sequence number is
> not present in the logs sent to the console or the buffer and not present
> when I open the files that are created on the syslog-ng side. They are only
> present in the filename that gets created for logs coming from the Cisco
> switches.
> >>
> >> I tried the 'no service sequence-numbers' on one of the access switches
> to be sure and did a shut/no shut on an unused port. Still logged the same
> way on the syslog-ng server.
> >>
> >> Patrick Smith | Systems Administrator | Payment Processing, Inc.
> >> 604.609.0619 x7023 ofc | 604.609.0619 fx
> >> www.paypros.com
> >>
> >> -----Original Message-----
> >> From: syslog-ng-bounces at lists.balabit.hu [mailto:
> syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
> >> Sent: Wednesday, October 21, 2009 1:08 PM
> >> To: Syslog-ng users' and developers' mailing list
> >> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message 'count'
> numberas $Program
> >>
> >> Those are sequence numbers - you can disable them on the switch by
> >> typing "no service sequence-numbers" in global config mode.
> >>
> >>
> >> On Wed, Oct 21, 2009 at 4:01 PM, Patrick Smith <patrick at paypros.com>
> wrote:
> >>> Hi all, wondering if anyone is familiar with this issue. Have several
> Cisco
> >>> switches logging to a syslog-ng server. The syslog-ng server creates a
> new
> >>> file for every message as it is interpreting the 'count' item added by
> the
> >>> switch as the $program. My configs as follows to demonstrate what I
> mean:
> >>>
> >>>
> >>>
> >>> Syslog-ng.conf:
> >>>
> >>>
> >>>
> >>> destination d_all {
> >>>
> >>>
> file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
> >>>
> >>> };
> >>>
> >>>
> >>>
> >>> This has always worked for me before and creates logs for each host
> with the
> >>> program prefixed (e.g. snmp-date..., ssl_access_log-date...)
> >>>
> >>>
> >>>
> >>> But for Cisco switches it writes a new logfile for every message, with
> the
> >>> Cisco message number (i.e. log count #) prepended. E.g., for a 6509
> switch:
> >>>
> >>>
> >>>
> >>> -rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
> >>>
> >>> -rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
> >>>
> >>> -rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
> >>>
> >>> -rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
> >>>
> >>> -rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
> >>>
> >>> * where 16551xx is the count of the log message on the switch
> >>>
> >>>
> >>>
> >>> And each of those files contains one log message, e.g.
> >>>
> >>>
> >>>
> >>> syslog-ng # cat 1655156-2009-10-21.log
> >>>
> >>> Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922:
> %LINK-5-CHANGED:
> >>> Interface GigabitEthernet3/35, changed state to administratively down
> >>>
> >>>
> >>>
> >>> For reference the logging on the switches are set as:
> >>>
> >>> 6509s:
> >>>
> >>> service timestamps log datetime msec
> >>>
> >>> logging buffered 20000 debugging
> >>>
> >>> logging rate-limit 1000
> >>>
> >>> log-adjacency-changes
> >>>
> >>> logging <syslog host IP>
> >>>
> >>> logging synchronous
> >>>
> >>>
> >>>
> >>> 2960s:
> >>>
> >>> service timestamps log uptime
> >>>
> >>> logging buffered 20000
> >>>
> >>> logging <syslog host IP>
> >>>
> >>> logging synchronous
> >>>
> >>>
> >>>
> >>> I'm thinking I could have a separate destination statement to properly
> deal
> >>> with these but I'm wondering if there's any other steps I can take to
> >>> mitigate it. I have several Cisco firewalls logging to syslog-ng and
> they
> >>> do not have the same issue.
> >>>
> >>>
> >>>
> >>> Thanks for any help.
> >>>
> >>>
> >>>
> >>> IMPORTANT NOTICE
> >>>
> >>> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments
> are
> >>> proprietary and confidential information intended only for the use of
> the
> >>> recipient(s) named above. If you are not the intended recipient, you
> may not
> >>> print, distribute, or copy this message or any attachments. If you have
> >>> received this communication in error, please notify the sender by
> return
> >>> e-mail and delete this message and any attachments from your computer.
> Learn
> >>> more about Payment Processing's services at www.paypros.com.
> >>>
> ______________________________________________________________________________
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> ______________________________________________________________
> >>
> >> Clayton Dukes
> >> ______________________________________________________________
> >>
> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >> IMPORTANT NOTICE
> >>
> >> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments
> are proprietary and confidential information intended only for the use of
> the recipient(s) named above. If you are not the intended recipient, you may
> not print, distribute, or copy this message or any attachments. If you have
> received this communication in error, please notify the sender by return
> e-mail and delete this message and any attachments from your computer. Learn
> more about Payment Processing's services at www.paypros.com.
> >>
> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> >
> >
> >
> > --
> > ______________________________________________________________
> >
> > Clayton Dukes
> > ______________________________________________________________
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> > IMPORTANT NOTICE
> >
> > THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are
> proprietary and confidential information intended only for the use of the
> recipient(s) named above. If you are not the intended recipient, you may not
> print, distribute, or copy this message or any attachments. If you have
> received this communication in error, please notify the sender by return
> e-mail and delete this message and any attachments from your computer. Learn
> more about Payment Processing's services at www.paypros.com.
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> IMPORTANT NOTICE
>
> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are
> proprietary and confidential information intended only for the use of the
> recipient(s) named above. If you are not the intended recipient, you may not
> print, distribute, or copy this message or any attachments. If you have
> received this communication in error, please notify the sender by return
> e-mail and delete this message and any attachments from your computer. Learn
> more about Payment Processing's services at www.paypros.com.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
--
______________________________________________________________
Clayton Dukes
______________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/0eb0edd7/attachment-0001.htm
More information about the syslog-ng
mailing list