PatternDB parser for Cisco Logs
297 views
Skip to first unread message
Garett Murphy
Sep 12, 2012, 3:07:33 PM9/12/12
to enterprise-log-s...@googlegroups.com
The existing work done on logs from Cisco Devices is amazing. However I am looking for a little help in getting a certain aspect changed or improved/expanded on.
Here's an example of a piece of log data:
Sep 1 12:53:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
The part I am concerned with is this snippet:
%LINEPROTO-5-UPDOWN:
Currently when parsed, ELSA deems this to be the program that log is being generated from, however there is more to it than that. The syslog message structure is as follows:
So in this case, the Facility (could be called program) is
facility-severity-MNEMONIC:description
The facility is the program or other service that sent the log message.
The severity is the logging level at which the message was sent (usually a number 0-7)
The Mnemonic is a unique identifier for the type of error message
the description is the full description and the main data of the error log.
Any chance I can get some help in splitting these up?
Thanks in advance!
Ideally what we would like to do is break this up into these three pieces
Here's an example of a piece of log data:
Sep 1 12:53:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
The part I am concerned with is this snippet:
%LINEPROTO-5-UPDOWN:
Currently when parsed, ELSA deems this to be the program that log is being generated from, however there is more to it than that. The syslog message structure is as follows:
So in this case, the Facility (could be called program) is
facility-severity-MNEMONIC:description
The facility is the program or other service that sent the log message.
The severity is the logging level at which the message was sent (usually a number 0-7)
The Mnemonic is a unique identifier for the type of error message
the description is the full description and the main data of the error log.
Any chance I can get some help in splitting these up?
Thanks in advance!
Ideally what we would like to do is break this up into these three pieces
Martin Holste
Sep 12, 2012, 5:34:08 PM9/12/12
to enterprise-log-s...@googlegroups.com
Ok, so we're looking for a new log class, Cisco, which will have those
three fields, right? I think I can do this with
yet-another-program-rename in the syslog-ng.conf. I would synthesize
new text in at the end of the natural message, so your log would end
up looking like this:
Sep 1 12:53:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet1/0/2, changed state to down|LINEPROTO|5|UPDOWN
Then, if all goes to plan, a patterndb parser could grab those and use
them as fields so they're indexed properly and you can do real
reporting on them.
So, would you be willing to have your messages cluttered a bit at the
end if it means you can report on those mnemonics?
three fields, right? I think I can do this with
yet-another-program-rename in the syslog-ng.conf. I would synthesize
new text in at the end of the natural message, so your log would end
up looking like this:
Sep 1 12:53:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Then, if all goes to plan, a patterndb parser could grab those and use
them as fields so they're indexed properly and you can do real
reporting on them.
So, would you be willing to have your messages cluttered a bit at the
end if it means you can report on those mnemonics?
Garett Murphy
Sep 12, 2012, 6:02:44 PM9/12/12
to enterprise-log-s...@googlegroups.com
Yeah that would be fine.
Garett Murphy
Sep 14, 2012, 2:17:15 PM9/14/12
to enterprise-log-s...@googlegroups.com
Martin,
I came across this post on the syslog-ng list, perhaps it would be able to be adapted to ELSA and put into the patterndb?
https://lists.balabit.hu/pipermail/syslog-ng/2010-November/015170.html
I'll be happy to test this with you if you like.
Please advise.
I came across this post on the syslog-ng list, perhaps it would be able to be adapted to ELSA and put into the patterndb?
https://lists.balabit.hu/pipermail/syslog-ng/2010-November/015170.html
I'll be happy to test this with you if you like.
Please advise.
Martin Holste
Sep 14, 2012, 3:20:10 PM9/14/12
to enterprise-log-s...@googlegroups.com
Ok, now I think the easiest way to deal with it would be to prepend
the program to the msg value, then run a normal patterndb pattern
against the concatenated string. That will change your message,
though. I'll check on the Balabit developer forum to see if anyone
can tell me if you can run patterndb against the program buffer, but I
doubt it.
the program to the msg value, then run a normal patterndb pattern
against the concatenated string. That will change your message,
though. I'll check on the Balabit developer forum to see if anyone
can tell me if you can run patterndb against the program buffer, but I
doubt it.
Garett Murphy
Sep 24, 2012, 2:07:10 PM9/24/12
to enterprise-log-s...@googlegroups.com
Hi, Martin.
Thanks for your continued help with this. Any word back from the Balabit Dev Forum on this?
Thanks for your continued help with this. Any word back from the Balabit Dev Forum on this?
Martin Holste
Sep 24, 2012, 3:50:20 PM9/24/12
to enterprise-log-s...@googlegroups.com
Yes, there is a feature committed to the 3.4 Alpha that does this, but
I'm discussing with Bazsi about the possibility of a full-blown
cisco-parser() feature which might do more, like take care of the ugly
timestamps we're currently using rewrite() for. So, this is on the
way, but won't be available for at least a month or two.
I'm discussing with Bazsi about the possibility of a full-blown
cisco-parser() feature which might do more, like take care of the ugly
timestamps we're currently using rewrite() for. So, this is on the
way, but won't be available for at least a month or two.
Reply all
Reply to author
Forward
0 new messages