[syslog-ng] Rewriting Cisco messages
Martin Holste
mcholste at gmail.com
Tue Feb 7 17:21:01 CET 2012
Well, you're certainly welcome to write a Cisco parser, but in my
situation, I can't filter by IP since I don't know what IP's will be
Cisco.
On Tue, Feb 7, 2012 at 9:56 AM, Gergely Nagy <algernon at balabit.hu> wrote:
> Martin Holste <mcholste at gmail.com> writes:
>
>> #4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed state to down
>> #1y46w: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40).
> [...]
>> #Feb 6 16:43:32.219: %LINK-3-UPDOWN: Interface FastEthernet2/0/42, changed state to up
> [...]
>> # Others where MSGONLY starts with PROGRAM
> [...]
>> This works, but is there a better way?
>
> I haven't reviewed the regexps yet, but looking at the
> format... wouldn't it make more sense to implement a new, hand-coded
> parser that can catch these?
>
> So, we'd end up with something like:
>
> source s_cisco { udp(... flags(no-parse)); };
> parser p_cisco { cisco(); };
> ...
> log { source(s_cisco); parser(p_cisco); destination(d_file); };
>
> The parser would first check if the line starts with a number, and if it
> does, it parses a relative date (or whatever that 4w4d things are),
> followed by a program name (I assume), and a message.
>
> If it doesn't start with a number, it would try to extract a date,
> followed by a program and a message. If it fails, then it falls back to
> $program: $message.
>
> That should catch all of the above, and can be coded without regexpes,
> so its speed and CPU load would be much better. The downside is that
> this way you can't mix cisco messages with others.
>
> However, if you do need to mix, you could filter by source IP, which is
> still faster than a regexp.
>
> --
> |8]
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list