Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

Cisco log format

Questions around SyslogAppliance, the virtual logging appliance.

Moderator: alorbach

Google Ads


Cisco log format

Postby doomraisin » Thu Mar 12, 2009 10:38 pm

Love the appliance! However, I'm curious as to how well it handles the Cisco IOS log format - the Syslogtag field always displays the syslog line number rather than the actual tag.

Also, I can't figure out how to search for text strings in the messages field.

Thanks!
doomraisin
New
 
Posts: 4
Joined: Thu Mar 12, 2009 10:34 pm

Re: Cisco log format

Postby rgerhards » Fri Mar 13, 2009 10:40 am

That's a parsing problem, Cisco IOS does use (as usual...) a non-standard format. Can you supply me with a message sniffed of the wire (e.g. via WireShark)? If so, I can try to upgrade the parser to include it.

For details on this effort, see here:

http://blog.gerhards.net/2009/02/callin ... mples.html

Rainer
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Re: Cisco log format

Postby doomraisin » Fri Mar 13, 2009 2:47 pm

rgerhards wrote:That's a parsing problem, Cisco IOS does use (as usual...) a non-standard format. Can you supply me with a message sniffed of the wire (e.g. via WireShark)? If so, I can try to upgrade the parser to include it.

For details on this effort, see here:

http://blog.gerhards.net/2009/02/callin ... mples.html

Rainer


Great. I sent the capture to your gmail account. Thanks!
doomraisin
New
 
Posts: 4
Joined: Thu Mar 12, 2009 10:34 pm

Re: Cisco log format

Postby doomraisin » Wed Mar 18, 2009 1:27 pm

Or, alternatively, if there's a way I could alter an existing parser myself I'd be happy to if you could clue me in on where it is. Thanks!
doomraisin
New
 
Posts: 4
Joined: Thu Mar 12, 2009 10:34 pm

Re: Cisco log format

Postby rgerhards » Wed Mar 18, 2009 2:25 pm

sorry, I am sluggish again... You can alter the parser, but that's far from being trivial. So far, we do not have a real parser abstraction in rsyslog. But if you'd like to give it a try, watch for "ParseLegaySyslogMessage" (or so...).
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Re: Cisco log format

Postby doomraisin » Mon Mar 23, 2009 2:33 pm

rgerhards wrote:sorry, I am sluggish again... You can alter the parser, but that's far from being trivial. So far, we do not have a real parser abstraction in rsyslog. But if you'd like to give it a try, watch for "ParseLegaySyslogMessage" (or so...).


After poking around, it looks like this is beyond my abilities to figure out at the moment.

If you decide to put together a parser for Cisco logs (which I'm sure would be very useful to many) then please let me know via this forum and I'll revisit the Syslog Appliance. Thanks!
doomraisin
New
 
Posts: 4
Joined: Thu Mar 12, 2009 10:34 pm

Re: Cisco log format

Postby Dino » Fri Oct 15, 2010 9:51 am

You can find a solution for parsing Cisco IOS syslog messages on this post.
post19768.html#p19768
Dino
New
 
Posts: 5
Joined: Fri Oct 15, 2010 9:32 am

Google Ads



Return to SyslogAppliance

Who is online

Users browsing this forum: No registered users and 0 guests

cron