[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages

Thomas Wollner tw at wollner-net.de
Wed Nov 30 23:17:37 CET 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

my version is from madhouse and installed via apt-get...

syslog-ng -V
syslog-ng 3.3.3
Installer-Version: 3.3.3
Revision: Debian/3.3.3.dfsg-1~mhp0~squeeze
Compile-Date: Nov 18 2011 15:37:57


thank you,

regards,

Tom



On 30.11.2011 21:31, Martin Holste wrote:
> There was a bugfix recently to address conditional rewrite problems
> in the 3.3 branch, what revision are you on?
> 
> On Wed, Nov 30, 2011 at 2:07 PM, Thomas Wollner <tw at wollner-net.de>
> wrote: Martin,
> 
> thanks for your suggestions. I just checked the new pattern, but
> the rewrite would not happen, too. I dont think that the pattern is
> the cause of the problem, because if I employ just the filter as an
> filter inside a logstatement, I receive cisco messages only in the 
> destination. So the pattern matches. But no rewrite happens so
> far.
> 
> My config is:
> 
> destination d_mydestination_rewritten { 
> file("/var/log/mylog-rewritten.log"); };
> 
> destination d_mydestination_raw { file("/var/log/mylog-raw.log"); 
> };
> 
> destination d_mydestination_justcisco { 
> file("/var/log/mylog-justcisco.log"); };
> 
> filter f_rewrite_cisco_program { match('%([^:]+):\s+([^\n]+)'
> value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); 
> };
> 
> rewrite r_cisco_program { set("$1", value("PROGRAM")
> condition(filter(f_rewrite_cisco_program))); set("$2",
> value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
> 
> log { source(s_src); rewrite(r_cisco_program); 
> destination(d_mydestination_rewritten); };
> 
> log { source(s_src); filter(f_rewrite_cisco_program); 
> destination(d_mydestination_justcisco); };
> 
> log { source(s_src); destination(d_mydestination_raw); };
> 
> 
> The resulting logfiles: grep SYS-5-CONFIG /var/log/mylog-* 
> /var/log/mylog-justcisco.log:Nov 30 19:59:10 192.168.111.10 2333:
> Nov 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by
> tom on vty0 (192.168.1.2) /var/log/mylog-raw.log:Nov 30 19:59:10
> 192.168.111.10 2333: Nov 30 19:59:09.609: %SYS-5-CONFIG_I:
> Configured from console by tom on vty0 (192.168.1.2) 
> /var/log/mylog-rewritten.log:Nov 30 19:59:10 192.168.111.10 2333:
> Nov 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by
> tom on vty0 (192.168.1.2)
> 
> 
> 
> So something must be wrong using the rewrite or the rewrite rule 
> himself...
> 
> Any ideas, further suggestions?
> 
> Thanks in advance,
> 
> Tom
> 
> 
> 
> 
> 
> 
> On 30.11.2011 20:20, Martin Holste wrote:
>>>> That was mine, and I think there's a couple mistakes in it
>>>> because there appears to a be a missing parenthesis and a
>>>> plus sign.  Try this:
>>>> 
>>>> match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
>>>> 
>>>> On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner 
>>>> <tw at wollner-net.de> wrote:
>>>>> Hello List,
>>>>> 
>>>>> I try to rewrite cisco IOS syslog messages with timestamps
>>>>> in the MESSAGE field. I want to remove the timestamp from
>>>>> the message and set the program to the so called mnemonic
>>>>> of the message..
>>>>> 
>>>>> I found the following example on the list:
>>>>> 
>>>>> ... filter f_rewrite_cisco_program { match('%([^:]:
>>>>> ([^\n]+)' value("MESSAGE") type("pcre")
>>>>> flags("store-matches" "nobackref")); };
>>>>> 
>>>>> rewrite r_cisco_program { set("$1", value("PROGRAM") 
>>>>> condition(filter(f_rewrite_cisco_program))); set("$2", 
>>>>> value("MESSAGE")
>>>>> condition(filter(f_rewrite_cisco_program))); };
>>>>> 
>>>>> log { source(s_all); rewrite(r_cisco_program); 
>>>>> destination(d_mydestination); };
>>>>> 
>>>>> But that does not work. I tried a lot of different rewrite 
>>>>> syntaxes, none of them work for me. If I just employ the
>>>>> filter f_rewrite_cisco_program I` am able to filter out the
>>>>> cisco messages.
>>>>> 
>>>>> Sample log line (written with template $R_ISODATE $HOST
>>>>> $MSG):
>>>>> 
>>>>> 2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30
>>>>> 17:23:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>>>>> FastEthernet0/1, changed state to down
>>>>> 
>>>>> I`m using syslog-ng 3.3.3 debian package from madhouse.
>>>>> 
>>>>> How I can rewrite my messages to filter the timestamp in
>>>>> the message field? any ideas?
>>>>> 
>>>>> Any help is higly welcome, thanks in advance,
>>>>> 
>>>>> Tom
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> ----------------------------------------------------------------
>>>>>
>>>>> 
This message was sent using IMP, the Internet Messaging Program.
>>>>> 
>>>>> 
>>>>> ______________________________________________________________________________
>>>>>
>>>>>
>
>>>>> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: 
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>
>>>>> 
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>> 
>>>>> 
>>>> ______________________________________________________________________________
>>>>
>>>>
>
>>>> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: 
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>
>>>> 
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFO1quATCCRT+dccOYRAvC/AJ0V7sPbuv8bLlJB0QSXonssP9EevgCg4cXB
GXV4gVR2A2EqDMjdJRPh6pQ=
=8x3r
-----END PGP SIGNATURE-----

More information about the syslog-ng mailing list