Re: [rsyslog] question: decoding cisco syslog messages using pmciscoios

David Lang via rsyslog Thu, 21 Mar 2024 06:29:30 -0700

ok, the rawmsg field is telling us that the body of the message sent by thedevice is a bunch of nonsense (control characters with a lot of nulls)

so the problem is on the sending side, not on the rsyslog side, look at youroptions there..


David Lang

On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:

Date: Thu, 21 Mar 2024 12:34:43 +0000
From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Pedro Caetano <pedrocaet...@binaryflows.com>
Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios

Hi,

This is the output generated:

Debug line with all properties:
FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
'172.26.0.31', PRI: 43,
syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
#017���#034#003H #017�#001#001L#001�#000#000�#0
34#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
#017���#034#003H #017�#001#001L#001�#000#000�#034#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
#000�#034#003H #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
$!:
$.:
$/:




Below is the configuration in place:

$DebugFile /var/log/rsyslogdebug.log
$DebugLevel 2

template(name="RSYSLOG_DebugFormat" type="list") {
    constant(value="Debug line with all properties:\nFROMHOST: '")
    property(name="fromhost")
    constant(value="', fromhost-ip: '")
    property(name="fromhost-ip")
    constant(value="', HOSTNAME: '")
    property(name="hostname")
    constant(value="', PRI: '")
    property(name="pri")
    constant(value=",\nsyslogtag '")
    property(name="syslogtag")
    constant(value="', programname: '")
    property(name="programname")
    constant(value="', APP-NAME: '")
    property(name="app-name")
    constant(value="', PROCID: '")
    property(name="procid")
    constant(value="', MSGID: '")
    property(name="msgid")
    constant(value="',\nTIMESTAMP: '")
    property(name="timereported")
    constant(value="', STRUCTURED-DATA: '")
    property(name="structured-data")
    constant(value="',\nmsg: '")
    property(name="msg")
    constant(value="'\nescaped msg: '")
    property(name="msg" controlcharacters="drop")
    constant(value="'\ninputname: ")
    property(name="inputname")
    constant(value=" rawmsg: '")
    property(name="rawmsg")
    constant(value="'\n$!:")
    property(name="$!")
    constant(value="\n$.:")
    property(name="$.")
    constant(value="\n$/:")
    property(name="$/")
    constant(value="\n\n")
}



#Modules
module(load="imtcp")
module(load="pmciscoios")

#Inputs
input(type="imtcp" port="20514" ruleset="rsyslogswitchs")

#Parsers
parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")


#Rules
ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
  *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
}

Best,
Pedro
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] question: decoding cisco syslog messages using pmciscoios

Reply via email to