| 11 Dec 2023 |
 bazsi77 | Thanks a lot for the samples. | 18:53:07 |
 _exseven | Thanks! | 18:54:49 |
|  matrix-t2bot changed their profile picture. | 19:38:33 |
| 13 Dec 2023 |
| _exseven | I have another one where date is sent with TZ in abbv. which can cause the TZ to be picked up as the $HOST, but im going to give it a go to fix... and i found why hostname isnt sending. On cisco switch/route the default is no logging origin-id so a hostname is not in the event message | 20:21:01 |
| bazsi77 | And if you enable it that would be an extra field? | 21:13:33 |
| _exseven | yes ill enable and compare, i dont think ill get our network folks to enable it on the device but i can atleast show difference | 23:39:22 |
| _exseven | * yes ill enable and compare, i dont think ill get our network folks to enable it on the production devices but i can atleast show difference | 23:39:31 |
| 14 Dec 2023 |
|  koroslak joined the room. | 10:12:57 |
| 15 Dec 2023 |
|  haxodon_35576 joined the room. | 20:33:30 |
| 16 Dec 2023 |
| bazsi77 | _exseven if you can share the sample, I'd be grateful for that too. | 13:19:38 |
| 18 Dec 2023 |
| _exseven | {
"TAGS": [
".app.cisco",
".source.net_src"
],
"SOURCEIP": "192.168.1.2",
"SOURCE": "net_src",
"RAWMSG": "<186>134: Dec 18 10:20:09.527 EST: %SYS-2-USERLOG_CRIT: Message from tty2(user id: nar): TESTING",
"PRIORITY": "crit",
"MESSAGE": "%SYS-2-USERLOG_CRIT: Message from tty2(user id: nar): TESTING",
"HOST_FROM": "192.168.1.2",
"HOST": "EST",
"FACILITY": "local7",
"DATE": "Dec 18 10:20:09.527",
"3": ".527",
"1": "Dec 18 10:20:09.527",
"0": "Dec 18 10:20:09.527"
}
| 15:21:57 |
| _exseven | so <sequence 134> <Date w/ Timezone (EST)>: <cisco stuff>: <message> | 15:22:53 |
| _exseven | * so <sequence 134>: <Date w/ Timezone (EST)>: <cisco stuff>: <message> | 15:23:00 |
| _exseven | the logging config is minimal too for these device types (IOS-XE) | 15:23:56 |
| _exseven | this is default syslog config too | 15:25:57 |
| _exseven | was thinking of updating the lookahead on the time to include ^(?:(?:[A-Za-z_\-]+\/[A-Za-z_\-]+(?:\/[A-Za-z_\-]+)?)|(?:Etc\/[A-Za-z0-9+\-]+(?:\/[A-Za-z0-9]+)?|(?:CET|CST6CDT|EET|EST|EST5EDT|MET|MST|MST7MDT|PST8PDT|HST)))$ (stolen from stack overfglow) | 15:28:38 |
| _exseven | * was thinking of updating the lookahead on the time to include ^(?:(?:[A-Za-z_\-]+\/[A-Za-z_\-]+(?:\/[A-Za-z_\-]+)?)|(?:Etc\/[A-Za-z0-9+\-]+(?:\/[A-Za-z0-9]+)?|(?:CET|CST6CDT|EET|EST|EST5EDT|MET|MST|MST7MDT|PST8PDT|HST)))$ (stolen from stack overflow) | 15:28:41 |
| _exseven | first bit might erroneously match forwarded/combined hostnames so will need to be removed and jsut changed for shortforms | 15:31:01 |
| _exseven | * first bit might erroneously match forwarded/combined hostnames so will need to be removed and jsut changed for shortforms and update for everyone thats missing | 15:33:33 |
| bazsi77 | Maybe this is a : separated list of fields after all? Question is if it is possible to determine the order of these fields. | 15:44:10 |
| 19 Dec 2023 |
|  tru64guru_78072 joined the room. | 14:01:44 |
|  sdesbure joined the room. | 15:05:05 |
|  pafchuimort joined the room. | 18:14:18 |
| _exseven | i think generally for wireless, ios and ios-xe its seq no:timestamp: %facility-severity-MNEMONIC:description and for ios-xr its seq: node-id : timestamp : process-name [pid] : % message category -group -severity -message -code : message-text | 18:49:08 |
| _exseven | doesnt send hostname unless specifically configured to | 18:49:12 |
| _exseven | https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/711x/system-monitoring/configuration/guide/b-system-monitoring-cg-asr9000-711x/implementing-logging-services.html | 18:49:16 |
| _exseven | https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-1/configuration_guide/sys_mgmt/b_171_sys_mgmt_9300_cg/configuring_system_message_logs.html | 18:49:29 |
| _exseven | which might conflict with the previous ones you had for ASA/FirePower that i guess send hostname? | 18:51:17 |
| 22 Dec 2023 |
|  dipak_49549 joined the room. | 07:22:37 |
|  dipak140 joined the room. | 07:26:42 |
