[syslog-ng] cisco templetes

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Wed Jul 31 15:17:19 UTC 2019

Hi Ciprian,

Cisco logs have been known to ignore RFC3164 log format and therefore needs to be parsed specially.

In syslog-ng there is a dedicated cisco-parser() to handle some known Cisco formats.
Please don't forget to set "no-parse" flag.
  source { udp(flags(no-parse)); };

The problem with using a dedicated parser is that if you pass a log message with different format than the parser expects,
the parsing result can be wrong, or some parser even drops the message.
Therefore you need to route the different message formats on different channels to do parsing on.

For convenience, there is a source driver called "default-network-driver()" which opens and listens on the common ports and formats and then
it parses the message automatically based on some message characteristics, i.e. if it detects that a message has a cisco format, it parses it with cisco-parser():
Ports opened by default:

  *   514, both TCP and UDP, for RFC3164 (BSD-syslog) formatted traffic
  *   601 TCP, for RFC5424 (IETF-syslog) formatted traffic
  *   6514 TCP, for TLS-encrypted traffic

Detailed documentation:

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of ciprian niculescu <cnicules at gmail.com>
Sent: Tuesday, July 30, 2019 20:35
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] cisco templetes

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


i'm building a syslog relay to collect and duplicate the flows to
multiple destinations.
but the relayed messages are strange looking.
my source are cisco network devices (catalyst, nexus, asa) and i want
to relay to a Solarwinds, Splunk and a linux-syslog for archiving.

i search the net for a templete but found none.
What i got so far is that the catalyst is sending in syslog bsd
format, but with the relay configured to source bsd and destination
bsd, the end message is different (the date is doubled, the relay add
his IP)

any help is appreciated.


Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=NfDwArjXF2rTuXIkXtUbE8tmsi095EkX5lgLn3EbFD0%3D&reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606850183&sdata=4UJ8e%2FCy5qcLj%2BtY5jlDK9FA3yv0Md8im9BjfUxnbx0%3D&reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C78b4a839cdc048b2f1d308d7151cc2c4%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637001085606860191&sdata=Cq0V%2F0nmydZ%2FOHcgY%2FHKaZuHnjoHh6grq%2BHYqX%2FgDEI%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190731/9bcc02a0/attachment.html>

More information about the syslog-ng mailing list