[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages

Wed Nov 30 21:31:05 CET 2011

There was a bugfix recently to address conditional rewrite problems in
the 3.3 branch, what revision are you on?

On Wed, Nov 30, 2011 at 2:07 PM, Thomas Wollner <tw at wollner-net.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin,
>
> thanks for your suggestions. I just checked the new pattern, but the
> rewrite would not happen, too. I dont think that the pattern is the
> cause of the problem, because if I employ just the filter as an filter
> inside a logstatement, I receive cisco messages only in the
> destination. So the pattern matches. But no rewrite happens so far.
>
> My config is:
>
> destination d_mydestination_rewritten {
>        file("/var/log/mylog-rewritten.log");
> };
>
> destination d_mydestination_raw {
>        file("/var/log/mylog-raw.log");
> };
>
> destination d_mydestination_justcisco {
>        file("/var/log/mylog-justcisco.log");
> };
>
> filter f_rewrite_cisco_program {
>  match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
> flags("store-matches" "nobackref"));
> };
>
> rewrite r_cisco_program {
>  set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
>  set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
> };
>
> log {
>  source(s_src);
>  rewrite(r_cisco_program);
>  destination(d_mydestination_rewritten);
> };
>
> log {
>  source(s_src);
>  filter(f_rewrite_cisco_program);
>  destination(d_mydestination_justcisco);
> };
>
> log {
>  source(s_src);
>  destination(d_mydestination_raw);
> };
>
>
> The resulting logfiles:
> grep SYS-5-CONFIG /var/log/mylog-*
> /var/log/mylog-justcisco.log:Nov 30 19:59:10 192.168.111.10 2333: Nov
> 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on
> vty0 (192.168.1.2)
> /var/log/mylog-raw.log:Nov 30 19:59:10 192.168.111.10 2333: Nov 30
> 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on vty0
> (192.168.1.2)
> /var/log/mylog-rewritten.log:Nov 30 19:59:10 192.168.111.10 2333: Nov
> 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on
> vty0 (192.168.1.2)
>
>
>
> So something must be wrong using the rewrite or the rewrite rule
> himself...
>
> Any ideas, further suggestions?
>
> Thanks in advance,
>
> Tom
>
>
>
>
>
>
> On 30.11.2011 20:20, Martin Holste wrote:
>> That was mine, and I think there's a couple mistakes in it because
>> there appears to a be a missing parenthesis and a plus sign.  Try
>> this:
>>
>> match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
>>
>> On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner
>> <tw at wollner-net.de> wrote:
>>> Hello List,
>>>
>>> I try to rewrite cisco IOS syslog messages with timestamps in
>>> the MESSAGE field. I want to remove the timestamp from the
>>> message and set the program to the so called mnemonic of the
>>> message..
>>>
>>> I found the following example on the list:
>>>
>>> ... filter f_rewrite_cisco_program { match('%([^:]: ([^\n]+)'
>>> value("MESSAGE") type("pcre") flags("store-matches"
>>> "nobackref")); };
>>>
>>> rewrite r_cisco_program { set("$1", value("PROGRAM")
>>> condition(filter(f_rewrite_cisco_program))); set("$2",
>>> value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
>>>
>>> log { source(s_all); rewrite(r_cisco_program);
>>> destination(d_mydestination); };
>>>
>>> But that does not work. I tried a lot of different rewrite
>>> syntaxes, none of them work for me. If I just employ the filter
>>> f_rewrite_cisco_program I` am able to filter out the cisco
>>> messages.
>>>
>>> Sample log line (written with template $R_ISODATE $HOST $MSG):
>>>
>>> 2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49:
>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
>>> changed state to down
>>>
>>> I`m using syslog-ng 3.3.3 debian package from madhouse.
>>>
>>> How I can rewrite my messages to filter the timestamp in the
>>> message field? any ideas?
>>>
>>> Any help is higly welcome, thanks in advance,
>>>
>>> Tom
>>>
>>>
>>>
>>>
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>>
>>> ______________________________________________________________________________
>>>
>>>
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>> ______________________________________________________________________________
>>
>>
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFO1ozwTCCRT+dccOYRAhZgAKCfeYWPN0UFGrk+wQs9iR4AYV5MeACgxhRo
> ugsR6kHA/TbnemGBNEwxG70=
> =ZGi3
> -----END PGP SIGNATURE-----
>