[syslog-ng] cisco rewrite code

[Thomas Wollner]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I use the following to set the program name to the so called mnemonic:

filter f_rewrite_cisco_program {
  match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
flags("store-matches" "nobackref"));
};

rewrite r_cisco_program {
  set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
  set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};



But Martin from ELSA Project has a more sophisticated way to match the
different types of timestamps included in the cisco message (it
depends on your log timestamp configuration):

filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+):
([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"
"nobackref")); };
filter f_rewrite_cisco_program_2 {
match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
[A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]:
(%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_4 { match('^\d{6}:
[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
[A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
flags("store-matches" "nobackref")); };

rewrite r_cisco_program {
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)
or filter(f_rewrite_cisco_program_2) or
filter(f_rewrite_cisco_program_3) or filter(f_rewrite_cisco_program_4)));
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)
or filter(f_rewrite_cisco_program_2) or
filter(f_rewrite_cisco_program_3) or filter(f_rewrite_cisco_program_4)));
};



hope it helps,

regards,
Tom




On 12.10.2012 21:34, Sébastien Pasche wrote:
> 
> On 10/12/2012 06:04 PM, Evan Rempel wrote:
> 
>> Does anyone have a pre build set of patterns/rewrite rule to
>> rewrite
> all cisco
>> logs into something that is a little more compliant?
> 
>> We are trying to use a master pattern database to
>> identify/classify
> messages,
>> but the cisco logs don't have usable "program names" so the
>> pattern
> database
>> can't even get started :-(
> 
>> Thanks for any pointers.
> 
> Hello :)
> 
> What I usually do is to filter with something like that :
> 
> filter ciscoIos { facility(local7) or (program("%PIX-[^-]+-[^-]+")
> or program("%ASA-[^-]+-[^-]+") or program("%FWSM-[^-]+-[^-]+"));
> };
> 
> then I send log back to 127.0.0.1 with cisco as program name and 
> specifying the message field.
> 
> rewrite rs_cisco { set('$PROGRAM: $MESSAGE' value("MESSAGE")); 
> set("cisco" value("PROGRAM")); };
> 
> Hope that help you..
> 
> Seb
> 
> 
> ______________________________________________________________________________
>
> 
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng 
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iD8DBQFQeHL1TCCRT+dccOYRAmKDAKDMZZ3NketEY94PN+CX2J5pa+vMkgCgo5PW
GJROwdt07tKPljTiRNiaMTs=
=LJfS
-----END PGP SIGNATURE-----