[syslog-ng] parsing cisco firepower logs problem with 3.33

Stoffel, John (TAI) John.Stoffel at toshiba.com
Thu Feb 17 14:47:59 UTC 2022


Hi,
I'm trying to parse some cisco logs from a Cisco firepower firewall, using syslog-ng v3.33 on a CentOS 7 system.  After pounding my head against the wall a few times to realize that you can't just re-start syslog-ng and have it re-read a source file from scratch... that instead I need to just push the data using netcat, it's now in a state where I think I can try to debug things.

My logs look like this:

<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic UDP translation fr
om TAI-INSIDE:1.2.3.110/51288 to FOO-OUTSIDE:6.7.8.18/33333 duration 0:00:00
<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic TCP translation fr
om FOO-WAN_IN:10.92.60.80/59877 to FOO-OUTSIDE:6.7.8.18/59877 duration 0:01:01
<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305011: Built dynamic UDP translation from
FOO-INSIDE:1.2.3.110/51288 to FOO-OUTSIDE:6.7.8.18/5632

Looking at this log, vs the examples given in the /usr/share/syslog-ng/include/scl/cisco/plugin.conf file, I think the problem is that my logs shows the:

   sequence, date: origin, %MSG

instead of

  sequence, origin, date: %MSG

and it's not clear to me how I would hack the plugin.conf file to handle this issue.  My end goal is to be able to parse the message enough by log level so I can forward only a subset of messages to another remote syslog system.

Thanks,
John


Sr. Storage Architect
TOSHIBA AMERICA, INC.
1251 6th,  Ave 41st flr, New York, NY 10020
508-736-5499 (mobile)
E-Mail:  john.stoffel at toshiba.com<mailto:john.stoffel at toshiba.com>
Website: Service Now Self Service Portal<https://nassc.service-now.com/ess/navpage.do>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220217/28fef609/attachment.htm>


More information about the syslog-ng mailing list