| 11 Dec 2023 |
 bazsi77 | if we otherwise extract this into $HOST, would you use this pattern RP/0/RP[0-9]/CPU[0-9] to identify this data? | 18:09:11 |
 _exseven | Yes it would probably suit to be in cisco.cpu_module or something | 18:09:53 |
| _exseven | CLC [0-9]/0 too | 18:11:29 |
| bazsi77 | in the same field? | 18:11:50 |
| bazsi77 | I think they are reusing the origin field for this purpose. anyway, if such a message is coming, is that a right assumption that $HOST should be the sending IP/reverse DNS hostname? | 18:13:47 |
| _exseven | Yes | 18:13:49 |
| bazsi77 | can you have more digits in RP/? and CLC? | 18:20:38 |
| bazsi77 | and do you happen to have a reference to the device/product in question? a documentation link would be great but if all else a product page works too | 18:24:07 |
| _exseven | Sure the CLC comes from a CBR8 running ios-xe 16.x and 17.x | 18:25:58 |
| _exseven | RP is from ios-xr 7.x NCS5500 and asr9922 | 18:28:12 |
| bazsi77 | I have this running locally, but can you give me a sample for CLC so I can include it in the samples? | 18:28:44 |
| bazsi77 | I mean complete line. Just to make sure I found the right spots to match on. | 18:29:00 |
| _exseven | <187>3408: CLC 6/0: Dec 11 13:31:14.214 EST: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: XXXXXXXX) has expired. Validity period ended on 2025-01-23T00:00:00Z | 18:32:42 |
| bazsi77 | that was useful thanks, I got it wrong | 18:35:31 |
| _exseven | To be honest don't even think Cisco sends a $HOST and I just always pull from dns | 18:37:42 |
| bazsi77 | I have this sample: <#164>Aug 08 16:58:18 DEVICE123 : %FTD-4-106023: test cisco asa | 18:38:36 |
| bazsi77 | and this: 166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic TCP translation from FOO-WAN_IN:10.44.60.80/59877 to FOO-OUTSIDE:6.7.8.9/598 | 18:38:53 |
| bazsi77 | logging origin-id | 18:39:23 |
| _exseven | ah weird ASA would send but not IOS | 18:42:06 |
| _exseven | ASA /FirePower is probably the only thing we dont have deployed | 18:42:38 |
| bazsi77 | https://github.com/syslog-ng/syslog-ng/pull/4749 | 18:44:31 |
| bazsi77 | I have added the new value to .cisco.cpu_module | 18:44:59 |
| bazsi77 | the HOST is not populated in this case, so should remain the same as it was set to before the parser | 18:45:18 |
| _exseven | ok | 18:45:36 |
| _exseven | i think it gets set to the timezone with our date config 🙂 atleast when i push the line via nc | 18:46:02 |
| _exseven | in my initial 4.4 testing | 18:46:41 |
| bazsi77 | I had this config: | 18:48:05 |
| bazsi77 | @include 'scl.conf'
log {
source { tcp(port(2000) flags(no-parse)); };
parser { cisco-parser(); };
destination { stdout(template("$ISODATE $HOST $(format-json .cisco.*) $MSG\n")); };
};
| 18:48:12 |
| bazsi77 | and it gave me this output as I sent your sample:
2023-12-11T12:43:29+00:00 localhost {"_cisco":{"severity":"3","mnemonic":"AUTH_FAIL","facility":"SNMP-SNMP","cpu_module":"RP/0/RP0/CPU0"}} %SNMP-SNMP-3-AUTH_FAIL : Received snmp request on unknown community from 0.0.0.0
| 18:48:38 |
| bazsi77 | but of course are free to use the template language to format it whatever you like. I am not sure about your destination/backend where you want this to end up | 18:49:20 |
