[syslog-ng] patterndb and syslog from cisco
Yann Forum
yann.frm at gmail.com
Wed Nov 3 16:50:59 CET 2010
Hello,
I'm writing patterndb.xml files to filter syslog messages from servers and
CISCO routers. Currently, CISCO sends syslog with that format:
Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1]
[localport: 22] at 15:50:30 CET Wed Nov 3 2010
Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1]
[localport: 22] at 15:53:30 CET Wed Nov 3 2010
Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1]
[localport: 22] at 15:56:30 CET Wed Nov 3 2010
The problem comes from the program name which changes for each message:
36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism.
How may I solve my problem? I think it's not allowed to change the program
name with the "rewrite" rule.
I have the same problem with switches from Alcatel...
Regards,
Yann I.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101103/557c4dad/attachment.htm
More information about the syslog-ng
mailing list