Cisco IOS/ASA/CatOS Syslog Parser

This is the place for developers to discuss bugs, new features and everything else about code changes.

Google Ads


Cisco IOS/ASA/CatOS Syslog Parser

Postby jmihalow » Mon Dec 19, 2011 4:51 pm

I have modified the code in /classes/logstreamlineparsersyslog.class.php to add some support for Cisco's multiple syslog formats for the ASA, IOS, and CatOS. You will need to add the following code to this file:

// Sample (IOS Syslog): Dec 16 15:46:14 dc0-remrtr02 1832: Dec 16 15:46:24: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: me] [Source: 192.168.1.1] [localport:22] at 15:46:24 EST Fri Dec 16 2011
else if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (\S+) (\d+):.+%(\S+)-(\d)-(\S+): (.+)$/", $szLine, $out ) )
{
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_SEVERITY] = $out[6];
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[7];
$arrArguments[SYSLOG_PROCESSID] = $out[4];
$arrArguments[SYSLOG_MESSAGE] = $out[8];
}
// Sample (ASA Syslog): Dec 15 23:58:24 MY-ASA %ASA-4-106023: Deny udp src outside:74.201.99.83/26981 dst outside:192.168.1.1/31730 by ac
cess-group "outside_in" [0x0, 0x0]
else if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (\S+) %\w+-(\d)-(\d+):(.+)$/", $szLine, $out ) )
{
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_SEVERITY] = $out[4];
$arrArguments[SYSLOG_HOST] = $out[3];
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
//$arrArguments[SYSLOG_PROCESSID] = $out[];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
}
// Sample (Cisco CatOS): Dec 2 16:20:11 2011 Dec 02 16:20:28 eastern -05:00 %ETHC-5-PORTTOSTP:Port 3/5 joined bridge port 3/5
else if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2} [0-9]{4}).+%(\w+)-(\d)-(\w+):(.+)$/", $szLine, $out ) )
{
// Copy parsed properties!
$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
$arrArguments[SYSLOG_SEVERITY] = $out[4];
// $arrArguments[SYSLOG_HOST] = $out[]; CatOS does not include this info
$arrArguments[SYSLOG_SYSLOGTAG] = $out[5];
$arrArguments[SYSLOG_PROCESSID] = $out[3];
$arrArguments[SYSLOG_MESSAGE] = $out[6];
}

I inserted this code right after the line 79 which is the end of the first syslog pattern match. Please feel free to use this code anyway you want. If anyone has some better matching regex please feel free to update this thread. This code above will get the fields into their correct positions and fix the graphs in the statistics section.
jmihalow
New
 
Posts: 1
Joined: Mon Dec 19, 2011 4:35 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 0 guests

cron