[syslog-ng] cisco rewrite code
Sébastien Pasche
braoru at gmail.com
Fri Oct 12 21:34:41 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2012 06:04 PM, Evan Rempel wrote:
>
> Does anyone have a pre build set of patterns/rewrite rule to rewrite
all cisco
> logs into something that is a little more compliant?
>
> We are trying to use a master pattern database to identify/classify
messages,
> but the cisco logs don't have usable "program names" so the pattern
database
> can't even get started :-(
>
> Thanks for any pointers.
>
Hello :)
What I usually do is to filter with something like that :
filter ciscoIos { facility(local7) or (program("%PIX-[^-]+-[^-]+") or
program("%ASA-[^-]+-[^-]+") or program("%FWSM-[^-]+-[^-]+")); };
then I send log back to 127.0.0.1 with cisco as program name and
specifying the message field.
rewrite rs_cisco { set('$PROGRAM: $MESSAGE' value("MESSAGE"));
set("cisco" value("PROGRAM")); };
Hope that help you..
Seb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQeHDQAAoJEE3IBph3MKVPDrYP/ial1cK+nqY59vYiGucIX/sB
dVvMNtbcbmFESNkNRhzWeVNMpv2dTOT2RzA1NbLtYA2uqDbMK5j3ltqK66q1YYNx
UJ5+sUvc/t+jH7UblDkKTcgfY4uBikYNJfLNg6rljmp15xd6O60s0zJV+fdamGxw
f6fR8XucVsYIdk8pS7L4/bNcYDPT+zjQp2CA1mfuvmOFJjK/k69Hh8mkNFsaWVxd
prCmRqYGHBfhUv/AG1wU96y/WN1pXVhl+9lsEH9ZdreBOSQyNcEq56FcwxH/9WdX
OdLQuG2YD96XrrXdjH53xb5D7rUsJp2BnavrE0+AQ8qUuDb5tVEZn+4qwoUQmiGj
Qjj6cwVqYsiWLR7ReKl6XXQR9O5VIiUg42ic7D175NHFKT3dP6wBrS+GUXciesgF
q6FUE8cRB+whVYXU5R/QPdgVzCdZkT7lZlkUceHAsRpjzNtjqAbxFcBSBs4171B1
jWPzFEmlViQVZm1N0Gt17s5maYaUDl06LtgEkL/pnjZpBIPwvUBMqV+4kRToFOkQ
KSoqRcjqXBPHE3SrpuEI5hiySZNVr2XCb1csLLE5yfkRMCTLGDZhVLwHLxRb+IqL
FPvtyxDIWB+kY/Qvbu7QdVk9b9Z5qMt6C/37Bls/5/z1Xzh4TYI57anoelcv84FG
RtBdVGBJ4x4UTGE5ADD6
=OOMA
-----END PGP SIGNATURE-----
More information about the syslog-ng
mailing list