[syslog-ng] in-list syntax
Czanik, Péter
peter.czanik at balabit.com
Mon Jul 17 10:51:16 UTC 2017
Hi,
If you use syslog-ng 3.10 you can give the cisco parser a try:
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#cisco-parser
It parses Cisco log messages (at least a good part of them) and creates
name-value pairs from them.
If 3.10 is not an option for you, first I'd check if the PROGRAM macro
really contains the information you are looking for. I usually do that
using the format-json template with "--scope everything". It gives a lot
more information than necessary, but still the quickest way to figure it
out.
Or even better: use the Cisco parser for hints how to parse necessary
information from logs. It is actually configuration snippet (SCL) and you
can browse it on-line:
https://github.com/balabit/syslog-ng/blob/master/scl/cisco/plugin.conf
Bye,
Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream
https://www.balabit.com/blog/author/peterczanik/
https://twitter.com/PCzanik
On Thu, Jul 13, 2017 at 4:07 PM, Damian Bell <Damian.Bell at clarksons.com>
wrote:
>
> Hello,
>
>
>
> I’ve previously had a very simple regex list configured for Cisco ASA
> devices to deliver email alerts on routing changes in our network, which
> was configured thus:-
>
>
>
> filter f_sev1 { match("%ASA-3-622001"); };
>
>
>
> …which works just fine. Wanting to expand this list a bit, and aware that
> scaling regex matching up is going to incur performance issues, I’ve
> thought that an “in-list” expression file might have been a better
> approach, and as such have configured the following:-
>
>
>
> filter f_sev1 { in-list("/etc/syslog-ng/email-match-list.list",
> value("PROGRAM")); };
>
>
>
> …where “PROGRAM” is (I believe) the applicable part of the code that
> matches to the Cisco "%ASA-3-622001" part of the message. The whitelist has
> the following entries (as an example):-
>
>
>
> %DUAL-5-NBRCHANGE
>
> %ASA-3-622001
>
> %SPANTREE-5-TOPOTRAP
>
> %SPANTREE-5-ROOTCHANGE
>
> %ASA-5-111010
>
>
>
> I am not getting any matches here, however. What am I missing?
>
>
>
> Thanks very much in advance,
>
>
>
> Damian
>
>
> Damian Bell
> Infrastructure Engineer | Support | H Clarkson & Co Ltd
> T: +44 20 7334 5483 <+44%2020%207334%205483>
> Email: Damian.Bell at clarksons.com
> Group Email: infrastructure at clarksons.com
> Clarksons Platou TM
> Commodity Quay, St. Katharine Docks | London E1W 1BF | United Kingdom
> www.clarksons.com
> Please consider the environment before printing this e-mail
>
>
> ------------------------------
> This message is private and confidential. If you have received it in
> error, you are on notice of its status. Please notify us immediately by
> reply email and then delete this message from your system. Please do not
> copy it or use it for any purposes, or disclose its contents to any other
> person: to do so could be a breach of confidence.
>
> Emails may be monitored.
>
> Details of Clarkson group companies and their regulators (where
> applicable) can be found at this url: Disclosure
> <http://www.clarksons.com/disclosure/>
> ------------------------------
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170717/045ab2bf/attachment-0001.html>
More information about the syslog-ng
mailing list