Cisco switch sylog + fluentd syslog input?

[Ryan Anderson]

Has anyone successfully received Cisco Catalyst or Nexus syslogs with fluentd? I am trying to receive syslogs from a Cisco Catalyst switch using this config:

<source>

  @type syslog

  port 2003

  bind 0.0.0.0

  protocol_type udp

  message_format auto

  tag fluentd.syslog.cisco.udp

</source>

<match fluentd.syslog.cisco.**>

  @type stdout

</match>

Fluentd gives this error on every log that gets received, and am unclear how to fix it. I'm used to fluentd not having issues with different syslog formats, so it appears Cisco is doing something non-standard. Ideas? Help!

2018-03-27 16:49:34 -0500 [warn]: #0 failed to parse message data="<187>25845: 192.168.1.200: -Traceback= 1#f75c3d7212dfa24c93f7e895b05b5318   :5496E000+3BB5B00 :5496E000+3BA53E8 :5496E000+3BA5640 :5496E000+3BF19F0 :5496E000+3BB9E14 :5496E000+3BA6AEC :5496E000+3BDC04C :5496E000+3F34CDC"

2018-03-27 16:53:27 -0500 [warn]: #0 failed to parse message data="<187>25846: 192.168.1.200: 020234: Mar 27 16:53:26.156: %SYS-3-CPUHOG: Task is running for (2040)msecs, more than (2000)msecs (15/15),process = SNMP ENGINE."

2018-03-27 16:53:27 -0500 [warn]: #0 failed to parse message data="<187>25847: 192.168.1.200: -Traceback= 1#f75c3d7212dfa24c93f7e895b05b5318   pthread:312AF000+8D8C"

2018-03-27 16:53:27 -0500 [warn]: #0 failed to parse message data="<187>25848: 192.168.1.200: 020235: Mar 27 16:53:26.221: %SNMP-3-CPUHOG: Processing GetBulk of bsnMobileStationCcxVersion"

[Mr. Fiber]

You can see syntax and valid example on RFC.

https://tools.ietf.org/html/rfc5424#section-6

https://tools.ietf.org/html/rfc5424#section-6.5

Your log seems to have invalid header as syslog message.

> <187>25845: 192.168.1.200: -Traceback= 1#f75c3d7212dfa24c93f7e895b05b5318   :5496E000+3BB5B00 :5496E000+3BA53E8 :5496E000+3BA5640 :5496E000+3BF19F0 :5496E000+3BB9E14 :5496E000+3BA6AEC :5496E000+3BDC04C :5496E000+3F34CDC

For example, ':' is invalid after '<PRI>VER' and timestamp is missing.

One idea is using in_udp to receive message and setup specific parser for Cisco's non-standard format.

Masahiro

--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan Anderson]

Thanks much for the tip! It lead me to a simple solution which is good enough for my purposes. I am fine with the slight difference between the time a message was created on the source and when it was received as *some* (not all) messages show.

<source>

  @type udp

  port 2003

  bind 0.0.0.0

  tag fluentd.syslog.cisco.udp

  # Set 'source' as the field name for the message source

  source_hostname_key source

  # Using built-in 'none' parser which shoves the whole log into the message field

  # and sets the timestamp to the time the message was received, see:

  # https://docs.fluentd.org/v1.0/articles/parser_none

  format none

</source>

I'm also outputting to an Elasticsearch DB with:

<match fluentd.syslog.cisco.**>

  @type elasticsearch

  # The ES index name before the date suffix

  logstash_prefix cisco_syslog

  # This makes the ES index <logstash_prefix>-YYYY.MM.DD

  logstash_format true

  #host <hostname> #(optional; default="localhost")

  #port <port> #(optional; default=9200)

  # ES type attribute

  type_name cisco_syslog

</match>

This Elasticsearch JSON record snippet shows the output, including the 'source' attribute defined above.

{

  "_index": "cisco_syslog-2018.03.28",

  "_type": "cisco_syslog",

  "_id": "wGnYbWIBsG5FW3qNXDay",

  "_version": 1,

  "_score": null,

  "_source": {

    "message": "<187>27197: 192.168.1.200: 021170: Mar 28 13:21:44.989: %SNMP-3-CPUHOG: Processing GetBulk of bsnMobileStationCcxVersion",

    "source": "192.168.1.200",

    "@timestamp": "2018-03-28T13:21:46.642079098-05:00"

  },

Regards,

RCA

To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Fluentd Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/fluentd/rJ6Ngdh-PyU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fluentd+u...@googlegroups.com.

[Vish]

Hi Ryan, I'm trying to send Cisco CSR logs to fluentd. Can you please let me know if there is any config needed on the router to send logs to fluentd?