Unparsed Event; CISCO NX-OS; syslog 7.0.2
My syslog 7.0.2 connector recently started getting "Unparsed Event" in the stream to ESM from a host reporting as CISCO, and it used to work correctly. i.e. 4 weeks ago I was getting "built outbound UDP connection" events correctly, then 2 weeks ago it changes to "Unparsed Event" with the built udp in the message field. I recall there was a log option on the cisco side that would cause this, something about the format being compressed/tersh or relaxed/verbose or something along that lines??????
Is this familiar to anyone?
Is there a chance that the CISCO host was upgraded and the version of it's software has changed?
Your question on the log format from the device is also a good one; I hope someone with more Cisco experience has some advice.
Had this problem with ASA after we upgraded our connectors.
These events began reporting name=Unparsed Event and deviceProduct=NX-OS. The fix was to log into the ASA and remove the "emblem" option for logging. We now receive these events correctly.
I would recommend verifying the device type associated with the device address. If it is an ASA, have the logging configuration on the ASA verified to be sure it does not include the "emblem" parameter.
I had this same issue. After turning off emblem format on the Cisco side, I cleared the device specific entries in syslog.properties and restarted the connector. All is well.
You having said that, are we supposed to remove the "emblem" option for logging to CISCO NX-OS end?
It is a bit urgent, appreciate quick response on this.
It did not work again!
It is a Windows server on which I have installed the Syslog Smartconnector. Tried to restart the services for the Smartconnector after deleting Syslog.properties file. However, I can see the Unparsed events only.
Please suggest if we need to build a custom parser or the above process would suffice.
Probably in the name column "Unparsed events " means it read parser file but does not match the relevent regex. I think log format has deviated from the standard.
please double check the connector type.
if everything correct and still an issue the same then you need to write parser file.