cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11171
Views
0
Helpful
4
Replies

SYSLOG message format modification

darren.g
Level 5
Level 5

Hi.

I'm trying to setup an open source SYSLOG message management solution to allow me to easily browse/manage/notify messages coming out of my routers and switches.

I've installed a product called Graylog2 which appears to tick allth e boxes, but I've hit a hitch.

It appears the syslog message format coming from the Cisco's isn't recognised properly by the application, resulting in invalid data.

I've got the following config on my test router, which outputs to syslog fine

service timestamps log datetime msec

logging enable

logging trap debugging

logging origin-id hostname

logging facility local6

logging source-interface GigabitEthernet1/0.3

logging 10.100.1.111

This results in messages in the following format

Aug 26 08:38:13 10.50.12.253 582: R1: Aug 25 22:36:55.135: %SYS-5-CONFIG_I: Configured from console by darren on vty0 (10.50.12.131)

What I need to do, I believe, is figure out how to maniuplate the format of this output if I can, and delete the second set of time/date parameters, so it looks like this

Aug 26 08:38:13 10.50.12.253 582: R1: %SYS-5-CONFIG_I: Configured from console by darren on vty0  (10.50.12.131)

Does anyone know how I can make this work?

Alternately, does anyone know if IOS 15.2.1 support AMQP (Advanced Message Queueing Protocol) for logging?

Thanks.

1 Accepted Solution

Accepted Solutions

Dan Frey
Cisco Employee
Cisco Employee

Execute: no service timestamps log datetime msec

and see if that removes the second timestamp in the log message.

Dan

View solution in original post

4 Replies 4

Dan Frey
Cisco Employee
Cisco Employee

Execute: no service timestamps log datetime msec

and see if that removes the second timestamp in the log message.

Dan

dafrey wrote:

Execute: no service timestamps log datetime msec

and see if that removes the second timestamp in the log message.

Dan

hi Dan.

Thanks - your suggestionw orked, the product didn't. :-) I gave up and am just trolling through text logs for now.

Thanks again.

Cheers.

Hi All,

 

How can i get the device IP address in the log message? I am using syslog4j-grey library to parse the cisco syslog messages. Is it possible to get the device IP from the message which is shown in the syslogd native service logs console?

 

Sep 27 22:17:44 10.90.12.13 2872: Sep 28 05:17:54.020: %SSH-5-SSH2_USERAUTH: User '*****' authentication for SSH2 Session from 10.19.15.12 (tty = 0) using crypto c


@viswa9582 wrote:

Hi All,

 

How can i get the device IP address in the log message? I am using syslog4j-grey library to parse the cisco syslog messages. Is it possible to get the device IP from the message which is shown in the syslogd native service logs console?

 

Sep 27 22:17:44 10.90.12.13 2872: Sep 28 05:17:54.020: %SSH-5-SSH2_USERAUTH: User '*****' authentication for SSH2 Session from 10.19.15.12 (tty = 0) using crypto c


Hi,

Use logging source interface X and logging origin-id ip command to send logs from interface X which also will be origin-id in log message.Then,you can parse this field from log message.

Personally, when I used graylog2 , I got logs in raw data format.Then you can use java regular expression skills and parse whatever you want :) (this is why I like open source softs sometimes) Because, Cisco (as I know) does not send logs exactly how RFC requires, hence some softs can not parse log fields properly.

 

regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Review Cisco Networking for a $25 gift card