cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
0
Helpful
8
Replies

CiscoWorks LMS 4.1, syslog analyzer parsing non-Cisco device.

andrea.meconi
Level 2
Level 2

Hello.

Can Syslog Analyzer parse syslog messages coming from a Non-Cisco device?

I'm trying to parse message from a HP Virtual Connect module without success.

Thanks.

Andrea

8 Replies 8

Martin Ermel
VIP Alumni
VIP Alumni

No it cannot.

It is necessary that the syslog messages are in Ciscos' EMBLEM format to get picked up by the Syslog Collector and be forwarded to the Syslog Ananlyzer process. Other vendors typically do not send syslog messages in this format (I do not know if any is doeing so...) Also some security devices from Cisco itself explicitely have to be configured to send syslogs in EMBLEM format.

You can use another syslog server which supports more message formats and let your devices send to both destinations.

Hello Martin and many thanks for your help.

There is a way to convert messages to this format?

Regards.

Andrea

I do not know of a command on HP devices to let them send syslog messages in EMBLEM format;

the format is as follows:

    %FACILITY-SEVERITY-MNEMONIC: Message-text

here is some more information on the format:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/4.5/system/messages/edesc.html

and on syslog management solutions in general:

     http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html

Before trying to convert the messages myself (e.g with a parser) I would set up a seperate syslog server.

Hi Andrea,

You could use syslog-ng to write a generic mnemonic into the message and forward it to LMS.

Something like:

syslog-ng->add fac-sev-mne: message->lms

However, I would also caution you that LMS is *not* meant to be a "syslog" manager - there are usually way to many syslog messages in most environments for it to handle that many - which is why most syslog managers are standalone servers.

In order to make sure that the NMS systems that syslog-ng forward messages to receive the correct source, syslog-ng needs to be compiled with the source spoof option. This will allow messages received on other NMS’s (such as LMS) to appear to come from the original devices rather than from the syslog-ng server.

Compiling from source:

Install the syslog-ng prerequisites from Balabit

You must configure syslog-ng with --enable-spoof-source in order to enable the spoof source feature (which is disabled by default).

./configure --enable-spoof-source

make && make install

If you run into any issues during the installation, you can refer to the syslog-ng forum  or you can refer to the syslog-ng knowledge base

Lastly, here's a great paper on syslog management:

Building Scalable Syslog Management Solutions

Many many thanks for you help Clayton.

I'm trying to run syslog-ng on same LMS box. I need to compile using Cygwin but I have some problems.

Any ideas?

Regards.

Andrea

I've not tried it in Cygwin before, are you unable to procure (even a very small, as in laptop even) linux server?

You may also try the syslog-ng mailing list at https://lists.balabit.hu/mailman/listinfo/syslog-ng, they are very helpful.

Also, I would highly recommend you consider building a good syslog manager like LogZilla (mentioned in that whitpaper) as it is much more suitable for proactive analysis (charts, searching, email alerts, etc.).

There's a live demo of it running here and there's even a ready2run virtual machine on the main website so you could have it running in no time.

Hello Clayton.

I cannot add a new machine... I'm trying the mailing list.

Regards.

Andrea

Hello Clayton.

Using a Linux box, I can modify the syslog message and forward to LMS.

We can realize an automatic action to run a script using Syslog Analyzer.

Now I try to compile syslog-ng into Cygwin.

Best regards.

Andrea

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: