[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages

Thomas Wollner tw at wollner-net.de
Wed Nov 30 21:07:12 CET 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

thanks for your suggestions. I just checked the new pattern, but the
rewrite would not happen, too. I dont think that the pattern is the
cause of the problem, because if I employ just the filter as an filter
inside a logstatement, I receive cisco messages only in the
destination. So the pattern matches. But no rewrite happens so far.

My config is:

destination d_mydestination_rewritten {
        file("/var/log/mylog-rewritten.log");
};

destination d_mydestination_raw {
        file("/var/log/mylog-raw.log");
};

destination d_mydestination_justcisco {
        file("/var/log/mylog-justcisco.log");
};

filter f_rewrite_cisco_program {
 match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
flags("store-matches" "nobackref"));
};

rewrite r_cisco_program {
 set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
 set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};

log {
 source(s_src);
 rewrite(r_cisco_program);
 destination(d_mydestination_rewritten);
};

log {
 source(s_src);
 filter(f_rewrite_cisco_program);
 destination(d_mydestination_justcisco);
};

log {
 source(s_src);
 destination(d_mydestination_raw);
};


The resulting logfiles:
grep SYS-5-CONFIG /var/log/mylog-*
/var/log/mylog-justcisco.log:Nov 30 19:59:10 192.168.111.10 2333: Nov
30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on
vty0 (192.168.1.2)
/var/log/mylog-raw.log:Nov 30 19:59:10 192.168.111.10 2333: Nov 30
19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on vty0
(192.168.1.2)
/var/log/mylog-rewritten.log:Nov 30 19:59:10 192.168.111.10 2333: Nov
30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on
vty0 (192.168.1.2)



So something must be wrong using the rewrite or the rewrite rule
himself...

Any ideas, further suggestions?

Thanks in advance,

Tom






On 30.11.2011 20:20, Martin Holste wrote:
> That was mine, and I think there's a couple mistakes in it because 
> there appears to a be a missing parenthesis and a plus sign.  Try 
> this:
> 
> match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
> 
> On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner
> <tw at wollner-net.de> wrote:
>> Hello List,
>> 
>> I try to rewrite cisco IOS syslog messages with timestamps in
>> the MESSAGE field. I want to remove the timestamp from the
>> message and set the program to the so called mnemonic of the
>> message..
>> 
>> I found the following example on the list:
>> 
>> ... filter f_rewrite_cisco_program { match('%([^:]: ([^\n]+)'
>> value("MESSAGE") type("pcre") flags("store-matches"
>> "nobackref")); };
>> 
>> rewrite r_cisco_program { set("$1", value("PROGRAM")
>> condition(filter(f_rewrite_cisco_program))); set("$2",
>> value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
>> 
>> log { source(s_all); rewrite(r_cisco_program); 
>> destination(d_mydestination); };
>> 
>> But that does not work. I tried a lot of different rewrite
>> syntaxes, none of them work for me. If I just employ the filter
>> f_rewrite_cisco_program I` am able to filter out the cisco
>> messages.
>> 
>> Sample log line (written with template $R_ISODATE $HOST $MSG):
>> 
>> 2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49: 
>> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, 
>> changed state to down
>> 
>> I`m using syslog-ng 3.3.3 debian package from madhouse.
>> 
>> How I can rewrite my messages to filter the timestamp in the
>> message field? any ideas?
>> 
>> Any help is higly welcome, thanks in advance,
>> 
>> Tom
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------- 
>> This message was sent using IMP, the Internet Messaging Program.
>> 
>> 
>> ______________________________________________________________________________
>>
>> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng 
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> 
>> 
> ______________________________________________________________________________
>
> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng 
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFO1ozwTCCRT+dccOYRAhZgAKCfeYWPN0UFGrk+wQs9iR4AYV5MeACgxhRo
ugsR6kHA/TbnemGBNEwxG70=
=ZGi3
-----END PGP SIGNATURE-----

More information about the syslog-ng mailing list