[syslog-ng] patterndb and syslog from cisco

Yann I. yann.frm at gmail.com
Mon Nov 8 18:16:23 CET 2010 

Hello,

Thanks for the answers. Currently, I'm using syslog-ng OSE 3.1.2.

For that "problem", I created the following configuration :

Configuration :
source s_r_udp_cisco {
    udp ( ip(0.0.0.0)
    port(514)
    flags(no-parse)
    program_override("cisco_routeur")
   );
};

log {
    source (s_r_udp_cisco);
    parser (pattern_db_cisco);

    filter (...)   -> Filter only on ".cisco.facility" for example
    etc.
};

With the following "pattern_db_cisco" :
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2010-11-04'>
  <ruleset name='cisco_routeur' id='1:2:3:4'>
    <pattern>cisco_routeur</pattern>
    <rules>
      <rule provider='cisco' id='1:2:3:4:id001' class='system'>
      <patterns>
         <pattern>@QSTRING:.cisco.prio:&lt;&gt;@@ESTRING:.cisco.id::@
@ESTRING:.cisco.date:%@@ESTRING:.cisco.facility:-@
@ESTRING:.cisco.severity:-@@ESTRING:.cisco.mnemonic::@@ANYSTRING:.cisco.message-text:@
</pattern>
      </patterns>
      </rule>
    </rules>
  </ruleset>
</patterndb>

and... it's working !
But now, I should use another UDP port (which should be another value than
514) because of the option "flags(no-parse)". Indeed, I have some issues
when another devices send logs to the syslog-ng server.

Thank you :-)

Regards,

Yann I.



2010/11/3 Fekete Róbert <frobert at balabit.hu>

>  Hi,
>
> AFAIK, syslog-ng Premium Edition 3.2 can recognize and properly handle this
> message format. I am not sure if this was already ported to OSE 3.2, I'll
> try to get some info on it if Bazsi does not reply sooner.
>
> Regards,
> Robert
>
> On Wednesday, November 03, 2010 17:40 CET, Matthew Hall <
> mhall at mhcomputing.net> wrote:
>
> > There are ways to enable and disable the message sequence numbering
> > and other special components of the messages on the Cisco devices
> > themselves. The numbers can be useful for finding out if your devices are
> > dropping messages somewhere.
> >
> > But the more general solution is to send these to a source which has the
> > flags(no-parse) set. Then you can parse out the interesting stuff using
> > patterndb. Maybe Peter Czanik from Balabit can suggest where to find the
> > latest patterns for Cisco devices.
> >
> > See this for details:
> >
> > http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-
> > guide-admin-en.html/index.html-single.html#reference_source_tcpudp
> >
> > Good Luck,
> > Matthew.
> >
> > On Wednesday, November 03, 2010 08:50:59 Yann Forum wrote:
> > > Hello,
> > >
> > >
> > >
> > > I'm writing patterndb.xml files to filter syslog messages from servers
> > > and CISCO routers. Currently, CISCO sends syslog with that format:
> > >
> > >
> > >
> > > Nov  3 15:36:02 srv01.dom.test 36779: .Nov  3 14:50:30.403:
> > > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > > 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010
> > >
> > > Nov  3 15:39:02 srv01.dom.test 36780: .Nov  3 14:53:30.255:
> > > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > > 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010
> > >
> > > Nov  3 15:42:01 srv01.dom.test 36781: .Nov  3 14:56:30.378:
> > > %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source:
> > > 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010
> > >
> > >
> > >
> > > The problem comes from the program name which changes for each
> > message:
> > > 36779, 36780, 36781, etc. For this reason, I can't use patterndb
> > > mechanism.
> > >
> > > How may I solve my problem? I think it's not allowed to change the
> > > program name with the "rewrite" rule.
> > >
> > > I have the same problem with switches from Alcatel...
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Yann I.
> >
> > --
> > Matthew Hall
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
>
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101108/ba88b327/attachment.htm

More information about the syslog-ng mailing list