[syslog-ng] Syslog-NG interpreting Cisco message'count'numberas$Program
Patrick Smith
patrick at Paypros.com
Fri Oct 30 16:32:10 CET 2009
I looked at that and in general it should work but I had two thoughts:
1. host() matches the hostname field in the message so if that
isn't configured then it will be missed. I suppose that's something
that should be fixed on a case by case basis though.
2. I'd prefer to use a wildcard for the netmask but there are other
non-cisco devices on the same subnet.
________________________________
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
Sent: Friday, October 30, 2009 7:22 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco
message'count'numberas$Program
I'm not a syslog-ng expert, but:
netmask(192.168.10.9)
You can use wildcards (or regex) here, also, shouldn't that be host and
not netmask?
On Fri, Oct 30, 2009 at 12:14 AM, Patrick Smith <patrick at paypros.com>
wrote:
Now that my mysql pipe issues are sorted out thought I'd post back with
my hackaround for this issue. I did find an old post with an
explanation as to where the numbers come from:
https://lists.balabit.hu/pipermail/syslog-ng/2007-December/011057.html
So, trusting that is true, they are event numbers, not count or sequence
numbers. I haven't found any documentation on event numbers yet, maybe
it's just another term for sequence numbers, but if that were the case I
should have been able to turn them off.
Don't have a lot of time to look for a better fix so for now I just did
the following, if it helps anyone.
# Local file destination sorted by host, program
destination d_localfiles {
file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
};
# Local file destination sorted by host, program (currently only used
by Cisco switches)
destination d_localfiles-noProgram {
file("/var/log/syslog-ng/$HOST/$YEAR-$MONTH-$DAY.log");
};
# Filter listing all cisco switches (could be a pain to manage in large
environments)
filter f_ciscosw { netmask(192.168.10.8) or
netmask(192.168.10.9) or
netmask(192.168.10.10) or
netmask(192.168.10.11) or
netmask(192.168.10.12) or
netmask(192.168.10.13) or
netmask(192.168.10.12) or
netmask(192.168.10.24); };
# Filter for all other hosts
filter f_allsystem {
facility(local0,local1,local2,local3,local4,local5,local6,local7) and
not filter(f_ciscosw); };
# Pipe to mysql, putting Cisco switch messages through same pipe seems
to work fine. i.e.does not write the event number in the program field.
* Pipe is the default used in the logzilla 2.9.9n wiki install guide)
log { source(s_remote); filter(f_allsystem); destination(d_mysql); };
log { source(s_remote); filter(f_ciscosw); destination(d_mysql); };
# Log declarations, one for Cisco switches, the other for everything
else.
log { source(s_remote); filter(f_allsystem); destination(d_localfiles);
};
log { source(s_remote); filter(f_ciscosw);
destination(d_localfiles-noProgram); };
Cheers.
________________________________
From: syslog-ng-bounces at lists.balabit.hu on behalf of Clayton Dukes
Sent: Wed 10/21/2009 3:06 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco
message'count'numberas $Program
Not that this helps, but your timestamps aren't configured on that
switch :-)
If you're using the latest version of php-syslog-ng (2.9.9x) then you
can tell it to skip showing the sequence numbers in the config.php
file.
Also, the new version allows you to rewrite fields in the db_insert.pl
<http://db_insert.pl/>
script so you could leave them off alltogether if you wanted to.
If you need help with php-syslog-ng just let me know - it's my project
:-)
On Wed, Oct 21, 2009 at 5:52 PM, Patrick Smith <patrick at paypros.com>
wrote:
> If I can't stop the switches from sending it then I'll just make
additional source/destination statement to deal with them and leave the
$program part out. I do find it handy when searching through logs
directly on the filesystem to have them broken down by origin (snmp or
wherever). I haven't started piping them to my new php-syslog-ng
install but I'm sure in the present format I'd flood the Program fields
with those numbers in the current state.
>
> I am sure the sequence/count numbers are coming from the switches.
Tcpdump shows a Msg number which matches the number prepended on the
file.
>
> tcpdump -nvv host 2960switch04
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes
> 14:44:32.013692 IP (tos 0x0, ttl 254, id 69, offset 0, flags [none],
proto: UDP (17), length: 131) <src_ip>.57127 > <syslog-ng host
ip>.syslog: SYSLOG, length: 103
> Facility local7 (23), Severity notice (5)
> Msg: 119: 1d04h: %LINK-5-CHANGED: Interface GigabitEth[|syslog]
>
> Results in a file on the syslog-ng server called 119-2009-10-21.log
>
> Thanks for your time,
> Patrick
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
> Sent: Wednesday, October 21, 2009 2:30 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message
'count'numberas $Program
>
> Hmm, then I'm not sure...maybe one of the other guru's on here will
> have some input :-)
> Have you tried not using the program field or do you really need it?
>
>
> On Wed, Oct 21, 2009 at 5:06 PM, Patrick Smith <patrick at paypros.com>
wrote:
>> Thought that might be it but doesn't seem to be. The sequence number
is not present in the logs sent to the console or the buffer and not
present when I open the files that are created on the syslog-ng side.
They are only present in the filename that gets created for logs coming
from the Cisco switches.
>>
>> I tried the 'no service sequence-numbers' on one of the access
switches to be sure and did a shut/no shut on an unused port. Still
logged the same way on the syslog-ng server.
>>
>> Patrick Smith | Systems Administrator | Payment Processing, Inc.
>> 604.609.0619 x7023 ofc | 604.609.0619 fx
>> www.paypros.com <http://www.paypros.com/>
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes
>> Sent: Wednesday, October 21, 2009 1:08 PM
>> To: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] Syslog-NG interpreting Cisco message 'count'
numberas $Program
>>
>> Those are sequence numbers - you can disable them on the switch by
>> typing "no service sequence-numbers" in global config mode.
>>
>>
>> On Wed, Oct 21, 2009 at 4:01 PM, Patrick Smith <patrick at paypros.com>
wrote:
>>> Hi all, wondering if anyone is familiar with this issue. Have
several Cisco
>>> switches logging to a syslog-ng server. The syslog-ng server
creates a new
>>> file for every message as it is interpreting the 'count' item added
by the
>>> switch as the $program. My configs as follows to demonstrate what I
mean:
>>>
>>>
>>>
>>> Syslog-ng.conf:
>>>
>>>
>>>
>>> destination d_all {
>>>
>>>
file("/var/log/syslog-ng/$HOST/$PROGRAM-$YEAR-$MONTH-$DAY.log");
>>>
>>> };
>>>
>>>
>>>
>>> This has always worked for me before and creates logs for each host
with the
>>> program prefixed (e.g. snmp-date..., ssl_access_log-date...)
>>>
>>>
>>>
>>> But for Cisco switches it writes a new logfile for every message,
with the
>>> Cisco message number (i.e. log count #) prepended. E.g., for a 6509
switch:
>>>
>>>
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 165 Oct 21 11:51 1655156-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 168 Oct 21 11:51 1655157-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 147 Oct 21 11:51 1655158-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 150 Oct 21 11:51 1655159-2009-10-21.log
>>>
>>> -rw-r--r-- 1 syslog-ng wheel 154 Oct 21 11:52 1655160-2009-10-21.log
>>>
>>> * where 16551xx is the count of the log message on the switch
>>>
>>>
>>>
>>> And each of those files contains one log message, e.g.
>>>
>>>
>>>
>>> syslog-ng # cat 1655156-2009-10-21.log
>>>
>>> Oct 21 11:51:15 6509switch1 1655156: Oct 21 18:51:14.922:
%LINK-5-CHANGED:
>>> Interface GigabitEthernet3/35, changed state to administratively
down
>>>
>>>
>>>
>>> For reference the logging on the switches are set as:
>>>
>>> 6509s:
>>>
>>> service timestamps log datetime msec
>>>
>>> logging buffered 20000 debugging
>>>
>>> logging rate-limit 1000
>>>
>>> log-adjacency-changes
>>>
>>> logging <syslog host IP>
>>>
>>> logging synchronous
>>>
>>>
>>>
>>> 2960s:
>>>
>>> service timestamps log uptime
>>>
>>> logging buffered 20000
>>>
>>> logging <syslog host IP>
>>>
>>> logging synchronous
>>>
>>>
>>>
>>> I'm thinking I could have a separate destination statement to
properly deal
>>> with these but I'm wondering if there's any other steps I can take
to
>>> mitigate it. I have several Cisco firewalls logging to syslog-ng
and they
>>> do not have the same issue.
>>>
>>>
>>>
>>> Thanks for any help.
>>>
>>>
>>>
>>> IMPORTANT NOTICE
>>>
>>> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any
attachments are
>>> proprietary and confidential information intended only for the use
of the
>>> recipient(s) named above. If you are not the intended recipient, you
may not
>>> print, distribute, or copy this message or any attachments. If you
have
>>> received this communication in error, please notify the sender by
return
>>> e-mail and delete this message and any attachments from your
computer. Learn
>>> more about Payment Processing's services at www.paypros.com
<http://www.paypros.com/> .
>>>
________________________________________________________________________
______
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>>
>>
>> --
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>>
________________________________________________________________________
______
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>> IMPORTANT NOTICE
>>
>> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments
are proprietary and confidential information intended only for the use
of the recipient(s) named above. If you are not the intended recipient,
you may not print, distribute, or copy this message or any attachments.
If you have received this communication in error, please notify the
sender by return e-mail and delete this message and any attachments from
your computer. Learn more about Payment Processing's services at
www.paypros.com <http://www.paypros.com/> .
>>
________________________________________________________________________
______
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> IMPORTANT NOTICE
>
> THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments
are proprietary and confidential information intended only for the use
of the recipient(s) named above. If you are not the intended recipient,
you may not print, distribute, or copy this message or any attachments.
If you have received this communication in error, please notify the
sender by return e-mail and delete this message and any attachments from
your computer. Learn more about Payment Processing's services at
www.paypros.com <http://www.paypros.com/> .
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
______________________________________________________________
Clayton Dukes
______________________________________________________________
________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
IMPORTANT NOTICE
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments
are proprietary and confidential information intended only for the use
of the recipient(s) named above. If you are not the intended recipient,
you may not print, distribute, or copy this message or any attachments.
If you have received this communication in error, please notify the
sender by return e-mail and delete this message and any attachments from
your computer. Learn more about Payment Processing's services at
www.paypros.com <http://www.paypros.com/> .
________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
--
______________________________________________________________
Clayton Dukes
______________________________________________________________
IMPORTANT NOTICE
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. Learn more about Payment Processing's services at www.paypros.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/da05a279/attachment-0001.htm
More information about the syslog-ng
mailing list