[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages
Martin Holste
mcholste at gmail.com
Wed Nov 30 20:54:50 CET 2011
Yeah, that's a good call. My original, more specific filter was this:
filter f_rewrite_cisco_program {
match('^(%(?:ASA|PIX|FWSM)\-\d\-\d{6}): ([^\n]+)' value("MESSAGE")
type("pcre") flags("store-matches" "nobackref")); };
You're probably best off filtering by host IP, because adding in more
to the regex to make it more specific could mean missing Cisco
messages with non-standard timestamps, etc.
On Wed, Nov 30, 2011 at 1:23 PM, Patrick H. <syslogng at feystorm.net> wrote:
> Should probably throw something in there to make that match a little less
> ambiguous (so it doesnt match just anything with a % and : in it).
>
>
>
> Sent: Wed Nov 30 2011 12:20:03 GMT-0700 (MST)
> From: Martin Holste <mcholste at gmail.com>
> To: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco
> IOS Messages
>
> That was mine, and I think there's a couple mistakes in it because
> there appears to a be a missing parenthesis and a plus sign. Try
> this:
>
> match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
>
> On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner <tw at wollner-net.de> wrote:
>
> Hello List,
>
> I try to rewrite cisco IOS syslog messages with timestamps in the
> MESSAGE field. I want to remove the timestamp from the message and set
> the program to the so called mnemonic of the message..
>
> I found the following example on the list:
>
> ...
> filter f_rewrite_cisco_program {
> match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre")
> flags("store-matches" "nobackref"));
> };
>
> rewrite r_cisco_program {
> set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
> set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
> };
>
> log {
> source(s_all);
> rewrite(r_cisco_program);
> destination(d_mydestination);
> };
>
> But that does not work. I tried a lot of different rewrite syntaxes,
> none of them work for me.
> If I just employ the filter f_rewrite_cisco_program I` am able to
> filter out the cisco messages.
>
> Sample log line (written with template $R_ISODATE $HOST $MSG):
>
> 2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49:
> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
> changed state to down
>
> I`m using syslog-ng 3.3.3 debian package from madhouse.
>
> How I can rewrite my messages to filter the timestamp in the message field?
> any ideas?
>
> Any help is higly welcome,
> thanks in advance,
>
> Tom
>
>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list