[syslog-ng] PatternDB with CiscoSNMP Module

Scheidler, Balázs balazs.scheidler at balabit.com
Tue May 2 06:56:36 UTC 2017


Hi,

I am in the process of writing a cisco-parser() myself, which uses a
combination of csv-parser() and regexps, pattern-db is not very well suited
for breaking apart Cisco like conditional structure (which depends on
various settings on the cisco side).

While handling various settings (service sequence-numbers, service
timestamps, logging origin-id, etc), it achieves about 37k msg/sec. What is
your target number with regards to performance?

Here's my stuff:
https://github.com/balabit/syslog-ng/pull/1456


-- 
Bazsi

On Tue, May 2, 2017 at 2:17 AM, Schoonover, Mark E HHHH <
Mark.Schoonover at cigna.com> wrote:

> Thanks for reading,
>
>
>
> I’m in the process of creating a log to trap for Cisco devices. I have it
> working for facilities like this: TRINITY-2-TRINITY_SYSLOG_CRIT with this
> pattern:
>
>
>
> @ESTRING::%@@ESTRING:.cisco.Facility:-@@ESTRING:.cisco.Severity:-@
> @ESTRING:.cisco.MsgName::@ @ANYSTRING:.cisco.MsgText@
>
>
>
> Now there are other facilities with an additional hyphen before the
> severity: EARL-DFC1-1-EXCESSIVE_PARITY_ERROR:
>
>
>
> Apr 26 14:04:45 hostname 565049: Apr 26 18:04:43.476 UTC:
> %EARL-DFC1-1-EXCESSIVE_PARITY_ERROR: EARL 0: Parity error detected in
> VRAM'
>
>
>
> which parses into:
>
>
>
> Testing message: program='EARL-DFC1-1-EXCESSIVE_PARITY_ERROR'
> message='Apr 26 14:04:45 hostname 565049: Apr 26 18:04:43.476 UTC:
> %EARL-DFC1-1-EXCESSIVE_PARITY_ERROR: EARL 0: Parity error detected in
> VRAM'
>
> Match name='.classifier.rule_id', value='09944c71-95eb-4bc0-8575-936931d85715',
> expected='09944c71-95eb-4bc0-8575-936931d85715'
>
> Wrong match name='.cisco.Facility', value='EARL', expected='EARL-DFC1'
>
> Wrong match name='.cisco.Severity', value='DFC1', expected='1'
>
> Wrong match name='.cisco.MsgName', value='1-EXCESSIVE_PARITY_ERROR',
> expected='EXCESSIVE_PARITY_ERROR'
>
> Match name='.cisco.MsgText', value='EARL 0: Parity error detected in
> VRAM', expected='EARL 0: Parity error detected in VRAM'
>
>
>
> I’ve tried a pattern that would parse EARL and DFC1 into separate
> variables, then append them into .cisco.Facility – which didn’t work. Still
> that leaves the pattern hardcoded to just two hypens. I’ve also tried hard
> coding EARL-DFC1 into the pattern, then use value to set .cisco.Facility
> correctly. This approach works but being hardcoded, another Facility with
> embedded hyphens will fail. Ideally I’d like to have a pattern that matches
> on the last hyphen before the severity and capture that. I could parse
> using a regexp and setting $1, $2, $3, and $4 to the appropriate variables
> but I’m concerned about performance issues – I’m thinking this is a last
> resort solution.
>
>
>
> Any thoughts on how to proceed?
>
>
>
> Regards,
>
>
>
> Mark Schoonover – KA6WKE
>
> Infrastructure Engineering Manager, Splunk Architect
>
> ENE   : Tools, Instrumentation and Common Services Team
>
> Office: 32.8697° N, 116.9711° W
>
> Phone : 770-261-7934
>
> Email : mark.schoonover at cigna.com
>
> *HPSM Team: ENE NMS Engineering*
>
>
>
> *Confidential, unpublished property of CIGNA. Do not duplicate or
> distribute. Use and distribution limited solely to authorized personnel. ©
> Copyright 2017 CIGNA*
>
>
>
>
>
> ------------------------------------------------------------
> ------------------
> CONFIDENTIALITY NOTICE: If you have received this email in error,
> please immediately notify the sender by e-mail at the address shown.
> This email transmission may contain confidential information.  This
> information is intended only for the use of the individual(s) or entity to
> whom it is intended even if addressed incorrectly.  Please delete it from
> your files if you are not the intended recipient.  Thank you for your
> compliance.  Copyright (c) 2017 Cigna
> ============================================================
> ==================
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170502/d1f3808f/attachment.html>


More information about the syslog-ng mailing list