[syslog-ng] Cisco IOS message format

Wells, James James.Wells at rbccm.com
Tue Nov 22 12:03:40 CET 2011 

Hi All,

Can anyone assist with the issue below

Thanks
James


> _____________________________________________ 
> From: 	Wells, James  
> Sent:	10 November 2011 11:25
> To:	'syslog-ng at lists.balabit.hu.'
> Subject:	Cisco IOS message format
> 
> Hi All,
> 
> I am struggling to get syslog-ng to output the correct format for
> Cisco IOS devices. I am using syslog-ng to forward message to a NMS
> system. The issue I see is syslog-ng upon forwarding adds more data to
> the message as I am assuming it does not understand the Cisco IOS
> syslog format.
> 
> Version of syslog-ng:
> 
> Name        : syslog-ng                    Relocations: (not
> relocatable)
> Version     : 2.1.4                             Vendor: Fedora Project
> Release     : 9.el5                         Build Date: Mon 16 May
> 2011 15:09:47 BST
> Install Date: Fri 21 Oct 2011 12:26:04 BST      Build Host:
> x86-01.phx2.fedoraproject.org
> Group       : System Environment/Daemons    Source RPM:
> syslog-ng-2.1.4-9.el5.src.rpm
> 
> Cisco IOS statements:
> 
> service timestamps log datetime msec localtime show-timezone
> logging trap notifications
> logging facility local6
> 
> Syslog format in the local file:
> 
> Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by
> testuser on vty0 (1.2.3.4)
> 
> Syslog-ng conf file:
> 
> options {
> 
>         sync(0);
>         time_reopen(10);
>         log_fifo_size(1000);
>         long_hostnames(off);
>         check_hostname(yes);
>         keep_hostname(yes);
>         chain_hostnames(no);
>         use_time_recvd(yes);
> 
> };
> 
> template("$MSGONLY\n")
> 
> 
> 
> When I perform a TCPDUMP and view the incoming message and then the
> forwarded message I can see that syslog-ng adds more data to the
> MESSAGE aspect of the syslog.
> 
> Has anyone been able to create a filter or template that manages this
> format, so that the forwarding of the syslog onto another receiver is
> not changed as syslog-ng is adding the $DATE and $HOST to the message.
> 
> Thanks in advance
> James
> 
> 
_______________________________________________________________________

This email is intended only for the use of the individual(s) to whom
it is addressed and may be privileged and confidential.

Unauthorised use or disclosure is prohibited. If you receive this
e-mail in error, please advise immediately and delete the original
message without copying, using, or telling anyone about its contents.

This message may have been altered without your or our knowledge and
the sender does not accept any liability for any errors or omissions
in the message.

This message does not create or change any contract.  Royal Bank of
Canada and its subsidiaries accept no responsibility for damage caused
by any viruses contained in this email or its attachments.  Emails may
be monitored.

RBC Capital Markets is a business name used by branches and
subsidiaries of Royal Bank of Canada, including Royal Bank of Canada,
London branch and RBC Europe Limited. In accordance
with English law requirements, details regarding RBC Europe Limited
are set out below:

RBC EUROPE LIMITED
Registered in England and Wales 995939
Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF.
Authorised and regulated by the Financial Services Authority.
Member of the London Stock Exchange.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111122/cae27e38/attachment.htm

More information about the syslog-ng mailing list