A few questions

[weveland]

Hello everyone,

I've got a few questions if I may.

First and foremost, is anyone aware of a way to export the accounting log information from a Cisco Nexus switch into Nagios Log Server? Ditto for an HP procurve switch.
Secondly does anyone know of any repositories of filters or guides that would help me create filters to parse syslog information from both Cisco and HP switches? Currently the standard syslog input gives a grokparsefailure when grok is trying to split the data into fields. I wasn't sure if there was anything already done, which would probably save some time.

[jolson]

A few answers:

First and foremost, is anyone aware of a way to export the accounting log information from a Cisco Nexus switch into Nagios Log Server?

I'm not familiar with accounting log information with regards to Cisco Switches. Do you know if you're capable of exporting the logs to *any* remote log server? If the answer is yes, you will be able to send the information to Nagios Log Server with no problems.

Ditto for an HP procurve switch.

Same answer as above. If you're capable of exporting the data to a remote device, you can bet that Nagios Log Server can receive that information.

Secondly does anyone know of any repositories of filters or guides that would help me create filters to parse syslog information from both Cisco and HP switches?

I couldn't find anything on the web, but I'm willing to help you through creating a filter if you get some example logs for me. What I suggest is getting the export process to work properly and using a bare TCP/UDP input on Nagios Log Server to start with. After you see some logs enter the Nagios Log Server dashboard, copy the 'message' field and send it this way - feel free to obfuscate anything you need to. From there I can design a filter to suit your needs. Same with the HP Switch.

Example of a bare TCP/UDP input (use one or the other - set the port as necessary):

2015-08-13 16_17_22-Instance Configuration • Nagios Log Server - Firefox Developer Edition.png

[weveland]

The cisco and HP switches both export radius accounting data. I just wasn't sure if there was a way to parse that without having to dump through a radius/tacacs+ server first and then pull the data from there.

I've got a listener setup with for syslog on port 514. I was trying to split the logs from the regular syslog stream by facility. so for instance HP switches come in on local7 and cisco comes in on local6. But I'm probably getting way ahead of myself. I was only doing this because I felt there would be other things in the future communicating with the server on 514 that weren't switches.

Here is what the current input filters look like.

syslog-switches.png

Also the parsing filter that I found online to handle standard syslog.

filter.png

Here is a log entry for a Cisco switch

notauser.png

I'll post the HP next because it appears I can only attach 3 images per post.

[weveland]

Hp switch entry

hpswitch.png

[Box293]

Ports below 1024 are classed as privileged and there are specific instructions on how to configure this:

https://assets.nagios.com/downloads/nag ... Server.pdf

[weveland]

Absolutely, I appreciate that. But I already configured the service to run as the root user. Getting the program to open the sockets isn't the problem. I'm receiving the data, just not able to create filters to parse it into intelligible and searchable things.

[Box293]

No problems. I get the USA techs to chime in tomorrow in relation to the filters, I'm still learning that part

[weveland]

Sounds good.

[weveland]

Just a courtesy bump of this thread. Just wondering if you had a chance to take a look?

[jdalrymple]

Hi weveland,

We're dealing with a lot of vacations starting and ending these past couple days - jolson's just started and mine just ended. Thanks for the raw output, with that we should have no trouble writing a filter for you. Myself or one of the other techs will dig into this once we get settled in for the day.