Highlighted
Valued Contributor.
Valued Contributor.
320 views

Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

Hi All,

In out setup we have some RHEL Rsyslog servers receiving all our syslog data, and then we do send this to our connectors, now we have an issue where we are unable to identify where the Cisco CiscoRouter events are comming from.

On our connectors these events are identified as being from our RSyslog server, this is as far as I have been able to figure out that the Cisco CiscoRouter IOS does not comply to the Syslog standards.

So an event from a Cisco CiscoRouter will look like this:
<187>9938930: 9938926: Jan 14 2020 11:44:42.446 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to down

As the above example shows there is no hostname in the header of the event, so our RSyslog server will try and make sure that the header is correct, and send this to our connector:
2020-01-14T12:44:43.195343+01:00 xxx.xxx.xxx.xxx 9938930: 9938926: Jan 14 2020 11:44:42.446 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to down

So now after our Rsyslog have processed the event we have an IP Address that tells us where this event came from, so far so good.

The next issue is that the network guys want to ba able to search for either the short hostname or FQDN, and the task of maintaing DNS records for these devices is to big, so they are now proposing the following format:
<187>9938930: HOSTNAME 9938926: Jan 14 2020 11:44:42.446 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to down

So here is the big question, can we retreive the HOSTNAME from the event and map this to the deviceHostName field, while the connector is still populating the deviceAddress from the corrected Syslog header?

Can this be done with mapping files, subparsers or?

We can´t have these devices send directly to the connectors, and this would not solve the problem anyway since the connector is still unable to do the DNS reverse lookup.

Cheers,
Tom

1 Solution

Accepted Solutions
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

If you completely change the format then you will probably have to use a FlexConnector anyways...

So yes sure you can extract the data somehow. I´d use a FlexConnector or an Override in case you want to use the standard parser as well.

Mapping files... no. You could do it but I guess you do not want to update the mapping file each time there is an updated/new hostname.

Subparser? You mean extraprocessors? Well the format will not be accepted by the default parser, since you changed it. There is not really a need for an extraprocessor for now.

View solution in original post

4 Replies
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Re: Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

Hi Tom,

 

What I understand is DNS resolving an issue in your environment.

Another option is to change the syslog format on the router. There is an option to include the Hostname or IP of an interface.

(https://community.cisco.com/t5/networking-documents/how-to-configure-logging-in-cisco-ios/ta-p/3132434)

 

br

Henk-Jan

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

Hi,

Thanks for your reply.

As I have understood it these devices are unable to be configured to send their Syslog messages in an RFC Standardized format, even thou they run IOS, hence our problem seen in the first of the Syslog Lines.

 

Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

If you completely change the format then you will probably have to use a FlexConnector anyways...

So yes sure you can extract the data somehow. I´d use a FlexConnector or an Override in case you want to use the standard parser as well.

Mapping files... no. You could do it but I guess you do not want to update the mapping file each time there is an updated/new hostname.

Subparser? You mean extraprocessors? Well the format will not be accepted by the default parser, since you changed it. There is not really a need for an extraprocessor for now.

View solution in original post

Highlighted
Valued Contributor.
Valued Contributor.

Re: Subparser or Mapping of additional field for the Cisco CiscoRouter Parser

Jump to solution

Hi,

Thanks for your reply.

So what I take away from what you are writing is that in order to do what we want we need to develop a Flex Connector to handle this extra field.

Cheers,

Tom

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.