Highlighted
Frequent Contributor.
Frequent Contributor.
819 views

CiscoRouter via loadbalancer vs deviceAddress and deviceHostName

Jump to solution

I have deployed SmartConnector LoadBalancer for syslog sources. 

For IOS Cisco router I have issue with this setup because connector is not recording IP address of cisco router.

example msgs are (<PRI> omited):

53: Dec 11 15:21:54: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: randomuser] [Source: 10.11.0.11] [localport: 22] at 15:21:54 utc Mon Dec 11 2017

16947: Feb 20 19:40:09: %OSPF-5-ADJCHG: Process 1, Nbr 10.168.211.155 on Tunnel27 from FULL to DOWN, Neighbor Down: Dead timer expired

After adding orgin-id ip in router config it is something like this

53: 192.168.0.1 Dec 11 15:21:54: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: randomuser] [Source: 10.11.0.11] [localport: 22] at 15:21:54 utc Mon Dec 11 2017

16947: 10.168.211.1: Feb 20 19:40:09: %OSPF-5-ADJCHG: Process 1, Nbr 10.168.211.155 on Tunnel27 from FULL to DOWN, Neighbor Down: Dead timer expired

Both formats are grabbed by CiscoRouter parser but IP address of device is not parsed out so i have loadbalancer outbound IP in my normalized events as deviceAddress. Enabling addition of syslog header on loadbalancer does not help because then NX-OS parser is grabbing events causing wrong parsing.

Does someone implemented Loadbalancer with cisco routers as source? can You share who LB/Connector/device should be configured to ensure proper parsing of events?

Best regards,

Arek

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..
I doubt the CiscoRouter parser is designed to extract that field. I would recommend maybe trying to use an additionalregexparser on the rawEvent to extract and map that IP address to a field.

View solution in original post

0 Likes
3 Replies
Highlighted
Super Contributor.
Super Contributor.

Hi Arek,

  I haven't deployed CiscoRouter but I have received sylog event from other Cisco devices via loadbalancer.

  These devices send syslog events without timestamps neither IP-address information. The loadbalancer is working in scan mode  and add them to the event.

  I hope this help

Javi.

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Issue is that for CiscoRouter if i enable always or scan then incorrect parser is selected (for NX-OS) (both with or without IP addres in msg header generated by router) it's a little bit suprising. I will investingate it further if scan mode can fix that issue with additional settings on connector.

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..
I doubt the CiscoRouter parser is designed to extract that field. I would recommend maybe trying to use an additionalregexparser on the rawEvent to extract and map that IP address to a field.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.