[syslog-ng] Cisco IOS message format

Martin Holste mcholste at gmail.com
Tue Nov 22 17:59:18 CET 2011 

Your problem is the non-standard (sort of) configuration of:
service timestamps log datetime msec localtime show-timezone
Cisco is adding the colon at the end of the date "Nov 10 10:18:44.102
UTC:" which is causing syslog-ng to misparse it.

One easy workaround that will make your life easier (but might not be
possible for other reasons) would be to turn off timestamps and use
the $R_TIMESTAMP macro (double-check that name, I use $R_UNIXTIME) in
syslog-ng to record the actual time of receipt.

Another possibility is adding the no-parse flag to the source so that
at least the message will be passed along verbatim.

Lastly, you could write a regular expression to parse out the right
information.  Here's one that will probably work:

filter f_rewrite_cisco_program { match('(%[^:]+): ([^\n]+)''
value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); };
rewrite r_cisco_program {
        set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
        set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};

which should pull out the program (between % and :) and the message.


On Tue, Nov 22, 2011 at 5:03 AM, Wells, James <James.Wells at rbccm.com> wrote:
>
> Hi All,
>
> Can anyone assist with the issue below
>
> Thanks
> James
>
> _____________________________________________
> From:   Wells, James
> Sent:   10 November 2011 11:25
> To:     'syslog-ng at lists.balabit.hu.'
> Subject:        Cisco IOS message format
>
> Hi All,
>
> I am struggling to get syslog-ng to output the correct format for Cisco IOS
> devices. I am using syslog-ng to forward message to a NMS system. The issue
> I see is syslog-ng upon forwarding adds more data to the message as I am
> assuming it does not understand the Cisco IOS syslog format.
>
> Version of syslog-ng:
>
> Name        : syslog-ng                    Relocations: (not relocatable)
> Version     : 2.1.4                             Vendor: Fedora Project
> Release     : 9.el5                         Build Date: Mon 16 May 2011
> 15:09:47 BST
> Install Date: Fri 21 Oct 2011 12:26:04 BST      Build Host:
> x86-01.phx2.fedoraproject.org
> Group       : System Environment/Daemons    Source RPM:
> syslog-ng-2.1.4-9.el5.src.rpm
>
> Cisco IOS statements:
>
> service timestamps log datetime msec localtime show-timezone
> logging trap notifications
> logging facility local6
>
> Syslog format in the local file:
>
> Nov 10 10:18:44.102 UTC: %SYS-5-CONFIG_I: Configured from console by
> testuser on vty0 (1.2.3.4)
>
> Syslog-ng conf file:
>
> options {
>
>         sync(0);
>         time_reopen(10);
>         log_fifo_size(1000);
>         long_hostnames(off);
>         check_hostname(yes);
>         keep_hostname(yes);
>         chain_hostnames(no);
>         use_time_recvd(yes);
>
> };
>
> template("$MSGONLY\n")
>
> When I perform a TCPDUMP and view the incoming message and then the
> forwarded message I can see that syslog-ng adds more data to the MESSAGE
> aspect of the syslog.
>
> Has anyone been able to create a filter or template that manages this
> format, so that the forwarding of the syslog onto another receiver is not
> changed as syslog-ng is adding the $DATE and $HOST to the message.
>
> Thanks in advance
> James
>
> _______________________________________________________________________
>
> This email is intended only for the use of the individual(s) to whom
> it is addressed and may be privileged and confidential.
>
> Unauthorised use or disclosure is prohibited. If you receive this
> e-mail in error, please advise immediately and delete the original
> message without copying, using, or telling anyone about its contents.
>
> This message may have been altered without your or our knowledge and
> the sender does not accept any liability for any errors or omissions
> in the message.
>
> This message does not create or change any contract.  Royal Bank of
> Canada and its subsidiaries accept no responsibility for damage caused
> by any viruses contained in this email or its attachments.  Emails may
> be monitored.
>
> RBC Capital Markets is a business name used by branches and
> subsidiaries of Royal Bank of Canada, including Royal Bank of Canada,
> London branch and RBC Europe Limited. In accordance
> with English law requirements, details regarding RBC Europe Limited
> are set out below:
>
> RBC EUROPE LIMITED
> Registered in England and Wales 995939
> Registered Address: Riverbank House, 2 Swan Lane, London, EC4R 3BF.
> Authorised and regulated by the Financial Services Authority.
> Member of the London Stock Exchange.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>

More information about the syslog-ng mailing list