uBR10012 issues

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
jasonbr
Posts: 2
Joined: Mon Feb 06, 2017 9:57 am

uBR10012 issues

Post by jasonbr »

Hello,

I'm trying to use the Log Server with Cisco uBR10012, but the logs are not sent/receive like I expect.

Example:
In the Log Server I see this (all in the same message):

IP 10.60.19.112 already assigned to MAC=0014.04d8.2e30 Interface Cable5/0/4 SID 4674 <188>1838258: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:14.737 UTC: %UBR10000-4-OVERLAPIP_CM: Interface Cable5/0/4, IP address 10.60.19.112 assigned to CM 0014.04d8.2e30 has been reassigned.<189>1838259: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:16.693 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 169.254.254.34 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded<189>1838260: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:16.901 UTC: %SSH-5-SSH2_USERAUTH: User 'viewconf' authentication for SSH2 Session from 169.254.254.34 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded<189>1838261: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:17.001 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 169.254.254.34 (tty = 0) for user 'viewconf' using crypto cipher 'aes128-cbc', hmac 'hmac-md5' closed<190>1838262: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:59.810 UTC: %UBR10000-6-BADIPASSIGNMENT: DHCPOFFER dropped : Interface Cable5/0/4 Mac 0014.04d8.2e30 SID 4674 L3_Interface Bundle1.102

And only when the log in the uBR begin with the word "IP" or "SID" (without timestamp) I see the log (as above) en the Log Server.

I'm using Cisco RFGW10 and Cisco 7600 router and work fine, only the uBR have problem.

Sorry for my english :(

Regards, Jason
Top
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: uBR10012 issues

Post by mcapra »

This might be an issue with the delimiter being used by the particular device. Are you able to send over some raw sample log files (assuming they exist)?

You might try to use the multiline codec as a hacky work-around assuming all messages start with the pri like <213>. The input rule might look like this:

Code: Select all

syslog {
    type => 'syslog'
    port => 5544
    codec => multiline
        {
            pattern => '<'
            negate => true
            what => previous                
        }
}
Other than that, you could try sending the data to the default raw tcp/udp input we use on port 2056. It might shed some light on what's causing this if the message is not first being passed through the syslog filter.
Former Nagios employee
https://www.mcapra.com/
Top
jasonbr
Posts: 2
Joined: Mon Feb 06, 2017 9:57 am

Re: uBR10012 issues

Post by jasonbr »

Hello mcapra,

Thank you very much. The change in the input rule worked and I immediately started to see de logs on the Log Server, but sometimes more than one log is received in the same message.

I'll probe some changes in the next days.

Regards
Top
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: uBR10012 issues

Post by rkennedy »

I would look at a tcpdump to see if you can verify what end the data is being duplicated on. I haven't seen this issue with NLS before, but I have seen rsyslog forwarding over twice. Let us know if you have any further questions.
Former Nagios Employee
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: uBR10012 issues

Post by tmcdonald »

Just checking in since we have not heard from you in a while. Did @rkennedy's post clear things up or has the issue otherwise been resolved?
Former Nagios employee
Top
Locked

Return to “Nagios Log Server”