[syslog-ng] Rewriting Cisco messages

Thomas Wollner tw at wollner-net.de
Tue Feb 7 21:16:23 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Martin,

the configs on cisco routers are very different. One can use too many
options how timestamps are built and that crap makes it to the message
part of the log.

Just an example:
#service timestamps log
myrouter(config)#service timestamps log ?
  datetime  Timestamp with date and time
  uptime    Timestamp with system uptime
  <cr>

myrouter(config)#service timestamps log date
myrouter(config)#service timestamps log datetime ?
  localtime      Use local time zone for timestamps
  msec           Include milliseconds in timestamp
  show-timezone  Add time zone information to timestamp
  year           Include year in timestamp
  <cr>

Because of the too many options I used to rewrite all that crap with
nothing until I find a %FACILITY-PRIORITY-PROGRAM - a so called
mnemonic - and set that as the $PROGRAM without leading %. That way I
can use a simple regex "everything between % and :" is program and
everything until end of line is message.

The above options are just for ios based devices. ios-xe, ios-xr,
nx-os are out in the wild now and I`m quite shure they will operate
different...

just my 2 cents,

best regards,

Tom



On 07.02.2012 16:26, Martin Holste wrote:
> I spent some time yesterday working out the proper regexes to
> handle the many ways Cisco sends its timestamps, depending on how
> the device is configured.  However, I feel like my solution can be
> improved upon, so I'd like to see if there's a better way.  Here's
> what I've got so far that seems to be working, though there seems
> to be a 10-15% CPU penalty at the moment:
> 
> #4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
> FastEthernet0/15, changed state to down #1y46w:
> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
> GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40). 
> filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: 
> (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") 
> flags("store-matches" "nobackref")); };
> 
> #Feb  6 16:43:32.219: %LINK-3-UPDOWN: Interface
> FastEthernet2/0/42, changed state to up filter
> f_rewrite_cisco_program_2 { 
> match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
>
> 
[A-Z]{3})?: (%[^:]+): ([^\n]+)'
> value("MSGONLY") type("pcre") flags("store-matches" "nobackref"));
> };
> 
> # Others where MSGONLY starts with PROGRAM filter
> f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): 
> ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" 
> "nobackref")); };
> 
> rewrite r_cisco_program { set("$1", value("PROGRAM") 
> condition(filter(f_rewrite_cisco_program) or 
> filter(f_rewrite_cisco_program_2) or 
> filter(f_rewrite_cisco_program_3))); set("$2", value("MESSAGE") 
> condition(filter(f_rewrite_cisco_program) or 
> filter(f_rewrite_cisco_program_2) or 
> filter(f_rewrite_cisco_program_3))); };
> 
> This works, but is there a better way? 
> ______________________________________________________________________________
>
> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng 
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPMYaXTCCRT+dccOYRAvPGAKC417r/W7mSzlnxGpiWUzGcjeCnSwCeJHhL
bbZSZmlBySqKkO6U34YEWxU=
=f5rY
-----END PGP SIGNATURE-----


More information about the syslog-ng mailing list