[syslog-ng] Problems parsing Cisco syslogs
N. Max Pierson
nmaxpierson at gmail.com
Tue Feb 26 17:14:08 UTC 2019
I looked at the existing cisco parser but did not quite understand the
syntax. I also tried pattern-db but I could not get that to work either. Is
it recommended to use pattern-db or should I try and copy the default
parser and start from there? I'll post my pattern-db xml file if it's
recommended to use it instead of the default parser.
Regards,
Max
On Tue, Feb 26, 2019 at 11:08 AM Sandor Geller <sandor.geller at ericsson.com>
wrote:
> Hello,
>
> When the no-parse flag is used then the macros referencing various parts
> of the message aren't filled in. HOST could get looked up using a reverse
> DNS lookup unless the keep_hostname option is set. The syslog priority is
> set to user.notice when parsing is disabled.
>
> Did you take a look at the existing cisco parser? Using it or adopting it
> should ease your job. If you could configure the Ciscos to use other port
> than anything else (which speaks syslog, Cisco devices usually aren't
> such...) would be even better.
>
> Regards,
> Sandor
>
> On 02/26/2019 05:36 PM, N. Max Pierson wrote:
>
> Hi List,
>
> I have been trying to get something in place that can parse syslogs from
> various Cisco devices. The message format is almost the same with a few
> exceptions. Here is what I have tried and it works but now it has created
> another problem I do not know how to troubleshoot.
>
> So that I could see exactly what was being parsed, I disabled the default
> parsing using the below.
>
> source s_network { udp(ip(0.0.0.0) port(514) flags(no-parse)); };
>
> rewrite r_cisco{
> subst('^<\d+>(\d+:|:)\s+(\.\w+|\w+)\s+\d+\s+\d+\s\d+:\d+:\d+:\s|^<\d+>:\s+\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s\w+:\s|^<\d+>(\d+:|:)\s',
> "", value("MESSAGE"), type("pcre"), flags("ignore-case")); };
>
> destination d_mysql {
> sql(type(mysql)
> host("127.0.0.1")
> username("syslog-ng")
> password("password")
> database("syslog")
> table("messages_${HOST}")
> columns("datetime datetime", "host varchar(50)", "level varchar(10)",
> "message text")
> values("${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}",
> "${HOST}", "${LEVEL}", "${MESSAGE}")
> indexes("datetime", "level")
> );
> };
>
> log { source(s_network); rewrite(r_cisco); destination(d_mysql); };
>
> This works perfectly as it formats the message as I want and covers IOS
> and NX-OS devices. The problem is when I turned off the default parser, now
> all of my logs show "notice" in the $LEVEL macro and doesn't reflect the
> real message header level. The $HOST macro still works fine however.
>
> Is this the expected behavior that the message header fields are not
> parsed as well as the $MESSAGE itself not being parsed? How can map the
> header level field properly to the $LEVEL marco if I disable the default
> parser?
>
> Regards,
> Max
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190226/8ef7dd5b/attachment.html>
More information about the syslog-ng
mailing list