All Log Entries on same facility/priority/severity

[tmckay]

thanks, I'm going to compare this against some of my incoming cisco logs. I don't have zhone, but I do have several switches and firewalls to test against. What IOS version are you presently running?

several different versions but here is an example. Not the latest: 12.2(33r)SRD5 on a 7600. Also, this isn't just Zhone or Cisco; it is every device i've pointed to it. i have a linux application, Incognito Broadband Control Center, a Zhone MXK, multiple Cisco platforms. The only thing that appears to be correct is the 127.0.0.1 logging. i've had Cisco ASA, 7600s, and 7206(latest and greatest ) all logging against this platform. if you want to send me a sample filter to add, i can try it. Thanks

[scottwilkerson]

Message contents

Code: Select all

<157>240: RITTERLAB: Nov 21 14:07:39.548: %SYS-5-CONFIG_I: Configured from console by tmckay on vty0 (64.233.128.6)

I actually think the SEQNUM is what is throwing the message off as it is not part RFC 3164, it is the 240 in the line above

You can do one of 2 things, modify the routers to turn off sequence-numbers

Code: Select all

configure terminal
no service sequence-numbers
copy running-config startup-config

Or, create a different input for the cisco items on a different port and pass the results through a filter like so:

Add Input

Code: Select all

udp { 
 port => 5545 ## change me to whatever you set your ASA syslog port to
 type => "cisco"
 }

Add Filter

Code: Select all

if [type] == "cisco" {
 grok {
  match => ["message", "^<%{POSINT:syslog_pri}>%{POSINT:seqnum}: %{WORD:host}: %{CISCOTIMESTAMP:timestamp}: %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}"]
 }
 # Parse the syslog severity and facility
 syslog_pri { }

 # Extract fields from the each of the detailed message types
 # The patterns provided below are included in core of LogStash 1.2.0.
 grok {
 match => [
 "cisco_message", "%{CISCOFW106001}",
 "cisco_message", "%{CISCOFW106006_106007_106010}",
 "cisco_message", "%{CISCOFW106014}",
 "cisco_message", "%{CISCOFW106015}",
 "cisco_message", "%{CISCOFW106021}",
 "cisco_message", "%{CISCOFW106023}",
 "cisco_message", "%{CISCOFW106100}",
 "cisco_message", "%{CISCOFW110002}",
 "cisco_message", "%{CISCOFW302010}",
 "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
 "cisco_message", "%{CISCOFW302020_302021}",
 "cisco_message", "%{CISCOFW305011}",
 "cisco_message", "%{CISCOFW313001_313004_313008}",
 "cisco_message", "%{CISCOFW313005}",
 "cisco_message", "%{CISCOFW402117}",
 "cisco_message", "%{CISCOFW402119}",
 "cisco_message", "%{CISCOFW419001}",
 "cisco_message", "%{CISCOFW419002}",
 "cisco_message", "%{CISCOFW500004}",
 "cisco_message", "%{CISCOFW602303_602304}",
 "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
 "cisco_message", "%{CISCOFW713172}",
 "cisco_message", "%{CISCOFW733100}"
 ]
 }
 date {
 match => ["timestamp",
 "MMM dd HH:mm:ss",
 "MMM d HH:mm:ss",
 "MMM dd yyyy HH:mm:ss",
 "MMM d yyyy HH:mm:ss"
 ]
 }
 }

[tmckay]

Option 1 didn't have an effect on what is being received by LS in my Lab 7206. i didn't try option 2, as it seems geared toward a firewall instead of a router. i cannot access any of the other gear, as i'm out of the office this week.

[sreinhardt]

The second option is actually device agnostic, and highly suggested. Reason being, it forces the cisco syslogs that don't seem to comply with proper rfc specs for syslog protocol, into a different port and filter. The only change needed on your devices is a port change to something unique to your cisco devices instead of the standard syslog port. Otherwise all changes would be to log server.

[tmckay]

some of the gear, cisco included, will not allow specification of an atypical port for syslogging. i'm sure with a code upgrade, it would be possible, but out of realm of possibilities for scope of this demo.

[sreinhardt]

How about for this testing, altering the default port of your other agents and instead using the default 5544 for cisco special filter? Alternatively you could set an iptables nat rule to redirect input from that IP to a different port without altering the cisco. Would either of these work for your test case?

[tmckay]

Question: when i add filters/inputs to the Administration GUI, should the 3 files at /usr/local/nagioslogserver/logstash/etc/conf.d be changing to reflect those? If so, there has been no change to those since the box was built on Nov 17. Below are perms on those files. If those aren't correct files, what dir would i look for them? i'm getting an error on that filter you provided.

-rw-rw-r-- 1 apache apache 653 Nov 17 09:13 000_inputs.conf
-rw-rw-r-- 1 apache apache 978 Nov 17 09:13 500_filters.conf
-rw-rw-r-- 1 apache apache 493 Nov 17 09:13 999_outputs.conf

[sreinhardt]

Yes it should, to verify, you have performed a global apply config after modifying those?

[tmckay]

yes, that's correct. i'm including a screenshot of the inputs and filters i have applied, and the 2 .conf files that are on the system. They don't match.

[tmcdonald]

Here are the permissions on several of our internal boxes, both stock installs and a dev revision:

Code: Select all

$ ls -l /usr/local/nagioslogserver/logstash/etc/conf.d
total 12
-rwxrwxr-x 1 nagios nagios  722 Nov 26 13:41 000_inputs.conf
-rwxrwxr-x 1 nagios nagios 1304 Nov 26 13:41 500_filters.conf
-rwxrwxr-x 1 nagios nagios  493 Nov 26 13:41 999_outputs.conf

Try a chmod 755 and chown nagios.nagios on those files and see if they get written.