[syslog-ng] Problems parsing Cisco syslogs
N. Max Pierson
nmaxpierson at gmail.com
Tue Feb 26 16:36:31 UTC 2019
Hi List,
I have been trying to get something in place that can parse syslogs from
various Cisco devices. The message format is almost the same with a few
exceptions. Here is what I have tried and it works but now it has created
another problem I do not know how to troubleshoot.
So that I could see exactly what was being parsed, I disabled the default
parsing using the below.
source s_network { udp(ip(0.0.0.0) port(514) flags(no-parse)); };
rewrite r_cisco{
subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
"", value("MESSAGE"), type("pcre"), flags("ignore-case")); };
destination d_mysql {
sql(type(mysql)
host("127.0.0.1")
username("syslog-ng")
password("password")
database("syslog")
table("messages_${HOST}")
columns("datetime datetime", "host varchar(50)", "level varchar(10)",
"message text")
values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}",
"${HOST}", "${LEVEL}", "${MESSAGE}")
indexes("datetime", "level")
);
};
log { source(s_network); rewrite(r_cisco); destination(d_mysql); };
This works perfectly as it formats the message as I want and covers IOS and
NX-OS devices. The problem is when I turned off the default parser, now all
of my logs show "notice" in the $LEVEL macro and doesn't reflect the real
message header level. The $HOST macro still works fine however.
Is this the expected behavior that the message header fields are not parsed
as well as the $MESSAGE itself not being parsed? How can map the header
level field properly to the $LEVEL marco if I disable the default parser?
Regards,
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190226/df863fa1/attachment.html>
More information about the syslog-ng
mailing list