Highlighted
Absent Member.
Absent Member.
1665 views

Unparsed Event; CISCO NX-OS; syslog 7.0.2

My syslog 7.0.2 connector recently started getting "Unparsed Event" in the stream to ESM from a host reporting as CISCO, and it used to work correctly.  i.e. 4 weeks ago I was getting "built outbound UDP connection" events correctly, then 2 weeks ago it changes to "Unparsed Event" with the built udp in the message field.  I recall there was a log option on the cisco side that would cause this, something about the format being compressed/tersh or relaxed/verbose or something along that lines??????

Is this familiar to anyone?

0 Likes
9 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Is there a chance that the CISCO host was upgraded and the version of it's software has changed?

Your question on the log format from the device is also a good one; I hope someone with more Cisco experience has some advice.


0 Likes
Highlighted
Lieutenant
Lieutenant

Had this problem with ASA after we upgraded our connectors. 

These events began reporting name=Unparsed Event and deviceProduct=NX-OS.  The fix was to log into the ASA and remove the "emblem" option for logging.  We now receive these events correctly.

I would recommend verifying the device type associated with the device address. If it is an ASA, have the logging configuration on the ASA verified to be sure it does not include the "emblem" parameter. 

0 Likes
Highlighted
Lieutenant
Lieutenant

I had this same issue.  After turning off emblem format on the Cisco side, I cleared the device specific entries in syslog.properties and restarted the connector. All is well.

0 Likes
Highlighted
Commander
Commander

Hi Bryan,

You having said that, are we supposed to remove the "emblem" option for logging to CISCO NX-OS end?

It is a bit urgent, appreciate quick response on this.

Regards,

Ateesh

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

try to delete syslog.prperties file and restart connector then it will pick correct syslog file.

Mr
0 Likes
Highlighted
Commander
Commander

Hi Gayan,

Sorry, it did not work!

Any other suggestions?

Regards,

Ateesh

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Did you try to check log format changes ?

Seems to be your log format has changed.

Mr
0 Likes
Highlighted
Commander
Commander

Hi Gayan,

It did not work again!

It is a Windows server on which I have installed the Syslog Smartconnector. Tried to restart the services for the Smartconnector after deleting Syslog.properties file. However, I can see the Unparsed events only.

Please suggest if we need to build a custom parser or the above process would suffice.

Regards,

Atee

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Probably in the name  column "Unparsed events " means it read parser file but does not match the relevent regex. I think log format has deviated from the standard.

please double check the connector type.

if everything correct and still an issue the same then you need to write parser file.

Cheers

Gayan

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.