[syslog-ng] patterndb and syslog from cisco

Fekete Róbert frobert at balabit.hu
Wed Nov 3 20:28:28 CET 2010 

 Hi, 

AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this message format. I am not sure if this was already ported to OSE 3.2, I'll try to get some info on it if Bazsi does not reply sooner.

Regards, 
Robert

On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <mhall at mhcomputing.net> wrote: 
 
> There are ways to enable and disable the message sequence numbering 
> and other special components of the messages on the Cisco devices 
> themselves. The numbers can be useful for finding out if your devices are 
> dropping messages somewhere.
> 
> But the more general solution is to send these to a source which has the 
> flags(no-parse) set. Then you can parse out the interesting stuff using 
> patterndb. Maybe Peter Czanik from Balabit can suggest where to find the 
> latest patterns for Cisco devices.
> 
> See this for details:
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-
> guide-admin-en.html/index.html-single.html#reference_source_tcpudp
> 
> Good Luck,
> Matthew.
> 
> On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
> > Hello,
> > 
> > 
> > 
> > I'm writing patterndb.xml files to filter syslog messages from servers
> > and CISCO routers. Currently, CISCO sends syslog with that format:
> > 
> > 
> > 
> > Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
> > 
> > Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
> > 
> > Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378:
> > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
> > 
> > 
> > 
> > The problem comes from the program name which changes for each 
> message:
> > 36779, 36780, 36781, etc. For this reason, I can't use patterndb
> > mechanism.
> > 
> > How may I solve my problem? I think it's not allowed to change the
> > program name with the "rewrite" rule.
> > 
> > I have the same problem with switches from Alcatel...
> > 
> > 
> > 
> > Regards,
> > 
> > 
> > 
> > Yann I.
> 
> -- 
> Matthew Hall
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list