good to hear, If you can identify what in the logging configuration was
different that caused this problem, please post it to the list so that others
can learn from it.
David Lang
On Fri, 22 Mar 2024, Pedro Caetano via rsyslog wrote:
Starting from a minimal configuration on the switch solved the issue.
Thank you for your time and patience.
Best,
Pedro Caetano
On Thu, Mar 21, 2024 at 6:07 PM Pedro Caetano
<pedrocaet...@binaryflows.com> wrote:
I'll strip the configuration to the bare minimum and report back.
Thank you for your patience.
Best,
Pedro
On Thu, Mar 21, 2024 at 1:29 PM David Lang <da...@lang.hm> wrote:
>
> ok, the rawmsg field is telling us that the body of the message sent by the
> device is a bunch of nonsense (control characters with a lot of nulls)
>
> so the problem is on the sending side, not on the rsyslog side, look at your
> options there..
>
> David Lang
>
> On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
>
> > Date: Thu, 21 Mar 2024 12:34:43 +0000
> > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Pedro Caetano <pedrocaet...@binaryflows.com>
> > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
> >
> > Hi,
> >
> > This is the output generated:
> >
> > Debug line with all properties:
> > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> > '172.26.0.31', PRI: 43,
> > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> > #017���#034#003H #017�#001#001L#001�#000#000�#0
> > 34#003�
> >
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> > #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> >
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> > #000�#034#003H #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> >
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> > $!:
> > $.:
> > $/:
> >
> >
> >
> >
> > Below is the configuration in place:
> >
> > $DebugFile /var/log/rsyslogdebug.log
> > $DebugLevel 2
> >
> > template(name="RSYSLOG_DebugFormat" type="list") {
> > constant(value="Debug line with all properties:\nFROMHOST: '")
> > property(name="fromhost")
> > constant(value="', fromhost-ip: '")
> > property(name="fromhost-ip")
> > constant(value="', HOSTNAME: '")
> > property(name="hostname")
> > constant(value="', PRI: '")
> > property(name="pri")
> > constant(value=",\nsyslogtag '")
> > property(name="syslogtag")
> > constant(value="', programname: '")
> > property(name="programname")
> > constant(value="', APP-NAME: '")
> > property(name="app-name")
> > constant(value="', PROCID: '")
> > property(name="procid")
> > constant(value="', MSGID: '")
> > property(name="msgid")
> > constant(value="',\nTIMESTAMP: '")
> > property(name="timereported")
> > constant(value="', STRUCTURED-DATA: '")
> > property(name="structured-data")
> > constant(value="',\nmsg: '")
> > property(name="msg")
> > constant(value="'\nescaped msg: '")
> > property(name="msg" controlcharacters="drop")
> > constant(value="'\ninputname: ")
> > property(name="inputname")
> > constant(value=" rawmsg: '")
> > property(name="rawmsg")
> > constant(value="'\n$!:")
> > property(name="$!")
> > constant(value="\n$.:")
> > property(name="$.")
> > constant(value="\n$/:")
> > property(name="$/")
> > constant(value="\n\n")
> > }
> >
> >
> >
> > #Modules
> > module(load="imtcp")
> > module(load="pmciscoios")
> >
> > #Inputs
> > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
> >
> > #Parsers
> > parser(name="custom.ciscoios.withOrigin" type="pmciscoios"
present.origin="on")
> >
> >
> > #Rules
> > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> > }
> >
> > Best,
> > Pedro
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
