[syslog-ng] Rewriting Cisco messages
Gergely Nagy
algernon at balabit.hu
Tue Feb 7 16:56:10 CET 2012
Martin Holste <mcholste at gmail.com> writes:
> #4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed state to down
> #1y46w: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40).
[...]
> #Feb 6 16:43:32.219: %LINK-3-UPDOWN: Interface FastEthernet2/0/42, changed state to up
[...]
> # Others where MSGONLY starts with PROGRAM
[...]
> This works, but is there a better way?
I haven't reviewed the regexps yet, but looking at the
format... wouldn't it make more sense to implement a new, hand-coded
parser that can catch these?
So, we'd end up with something like:
source s_cisco { udp(... flags(no-parse)); };
parser p_cisco { cisco(); };
...
log { source(s_cisco); parser(p_cisco); destination(d_file); };
The parser would first check if the line starts with a number, and if it
does, it parses a relative date (or whatever that 4w4d things are),
followed by a program name (I assume), and a message.
If it doesn't start with a number, it would try to extract a date,
followed by a program and a message. If it fails, then it falls back to
$program: $message.
That should catch all of the above, and can be coded without regexpes,
so its speed and CPU load would be much better. The downside is that
this way you can't mix cisco messages with others.
However, if you do need to mix, you could filter by source IP, which is
still faster than a regexp.
--
|8]
More information about the syslog-ng
mailing list