[syslog-ng] Parsing Cisco FWSM with device-id
Martin Holste
mcholste at gmail.com
Mon Oct 24 19:01:43 CEST 2011
Just a follow-up to anyone else who needs to cope with Cisco devices
being logged with an extra hostname given which shifts $HOST into
$PROGRAM, you can fix the program and message using this:
filter f_rewrite_cisco_program {
match('^(%(?:ASA|PIX|FWSM)\-\d\-\d{6}): ([^\n]+)' value("MESSAGE")
type("pcre") flags("store-matches" "nobackref")); };
rewrite r_cisco_program {
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};
log { rewrite(r_cisco_program); <usual log statements> };
The anchor '^' at the beginning should make performance very good.
A bonus PCRE fact: [^\n]+ is much faster than .+ so I recommend using
it whenever you're matching any char.
Second bonus PCRE fact: PCRE 8.20RC3 compiled with sljit is 20-30%
faster than older PCRE's. Note to Balabit: you guys should seriously
consider a configure script flag to compile with sljit and newer
PCRE's.
On Wed, Oct 5, 2011 at 1:24 PM, Fekete Róbert <frobert at balabit.hu> wrote:
> I guess csv parser. If you are lucky, you can rewrite the PROGRAM and MSG fields from the csv parser (not sure if it actually works, but wouldn't be surprised if it did), like:
>
> csv_parser .... columns($PROGRAM,$MESSAGE)
>
> Robert
>
> On Wednesday, October 5, 2011 20:00 CEST, Martin Holste <mcholste at gmail.com> wrote:
>
>> So I have a customer who has enabled the device-id configuration
>> directive on his FWSM, and that means that instead of this from a
>> normal FWSM:
>> <174>%FWSM-6-302013: Built inbound TCP...
>> it sends this:
>> <174>FWSMHostName %FWSM-6-30203: Built inbound TCP...
>>
>> This means that the program name does not get properly parsed as
>> syslog-ng pushes it into the msg field. If I can't convince the
>> customer to remove the device-id setting, what's the least
>> CPU-intensive way of coping with this so that program and msg are set
>> correctly?
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list