Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

All Log Entries on same facility/priority/severity

https://support.nagios.com/forum/viewtopic.php?t=30107

Page 3 of 5

Re: All Log Entries on same facility/priority/severity

Posted: Fri Nov 21, 2014 5:03 pm
by tmckay
sreinhardt wrote:thanks, I'm going to compare this against some of my incoming cisco logs. I don't have zhone, but I do have several switches and firewalls to test against. What IOS version are you presently running?
several different versions but here is an example. Not the latest: 12.2(33r)SRD5 on a 7600. Also, this isn't just Zhone or Cisco; it is every device i've pointed to it. i have a linux application, Incognito Broadband Control Center, a Zhone MXK, multiple Cisco platforms. The only thing that appears to be correct is the 127.0.0.1 logging. i've had Cisco ASA, 7600s, and 7206(latest and greatest :) ) all logging against this platform. if you want to send me a sample filter to add, i can try it. Thanks

Re: All Log Entries on same facility/priority/severity

Posted: Mon Nov 24, 2014 5:08 pm
by scottwilkerson
tmckay wrote: Message contents

Code: Select all

<157>240: RITTERLAB: Nov 21 14:07:39.548: %SYS-5-CONFIG_I: Configured from console by tmckay on vty0 (64.233.128.6)
I actually think the SEQNUM is what is throwing the message off as it is not part RFC 3164, it is the 240 in the line above

You can do one of 2 things, modify the routers to turn off sequence-numbers

Code: Select all

configure terminal
no service sequence-numbers
copy running-config startup-config
Or, create a different input for the cisco items on a different port and pass the results through a filter like so:

Add Input

Code: Select all

udp { 
 port => 5545 ## change me to whatever you set your ASA syslog port to
 type => "cisco"
 }
Add Filter

Code: Select all

if [type] == "cisco" {
 grok {
  match => ["message", "^<%{POSINT:syslog_pri}>%{POSINT:seqnum}: %{WORD:host}: %{CISCOTIMESTAMP:timestamp}: %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}"]
 }
 # Parse the syslog severity and facility
 syslog_pri { }

 # Extract fields from the each of the detailed message types
 # The patterns provided below are included in core of LogStash 1.2.0.
 grok {
 match => [
 "cisco_message", "%{CISCOFW106001}",
 "cisco_message", "%{CISCOFW106006_106007_106010}",
 "cisco_message", "%{CISCOFW106014}",
 "cisco_message", "%{CISCOFW106015}",
 "cisco_message", "%{CISCOFW106021}",
 "cisco_message", "%{CISCOFW106023}",
 "cisco_message", "%{CISCOFW106100}",
 "cisco_message", "%{CISCOFW110002}",
 "cisco_message", "%{CISCOFW302010}",
 "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
 "cisco_message", "%{CISCOFW302020_302021}",
 "cisco_message", "%{CISCOFW305011}",
 "cisco_message", "%{CISCOFW313001_313004_313008}",
 "cisco_message", "%{CISCOFW313005}",
 "cisco_message", "%{CISCOFW402117}",
 "cisco_message", "%{CISCOFW402119}",
 "cisco_message", "%{CISCOFW419001}",
 "cisco_message", "%{CISCOFW419002}",
 "cisco_message", "%{CISCOFW500004}",
 "cisco_message", "%{CISCOFW602303_602304}",
 "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
 "cisco_message", "%{CISCOFW713172}",
 "cisco_message", "%{CISCOFW733100}"
 ]
 }
 date {
 match => ["timestamp",
 "MMM dd HH:mm:ss",
 "MMM d HH:mm:ss",
 "MMM dd yyyy HH:mm:ss",
 "MMM d yyyy HH:mm:ss"
 ]
 }
 }

Re: All Log Entries on same facility/priority/severity

Posted: Mon Nov 24, 2014 10:26 pm
by tmckay
Option 1 didn't have an effect on what is being received by LS in my Lab 7206. i didn't try option 2, as it seems geared toward a firewall instead of a router. i cannot access any of the other gear, as i'm out of the office this week.

Re: All Log Entries on same facility/priority/severity

Posted: Tue Nov 25, 2014 11:51 am
by sreinhardt
The second option is actually device agnostic, and highly suggested. Reason being, it forces the cisco syslogs that don't seem to comply with proper rfc specs for syslog protocol, into a different port and filter. The only change needed on your devices is a port change to something unique to your cisco devices instead of the standard syslog port. Otherwise all changes would be to log server.

Re: All Log Entries on same facility/priority/severity

Posted: Mon Dec 01, 2014 9:49 pm
by tmckay
some of the gear, cisco included, will not allow specification of an atypical port for syslogging. i'm sure with a code upgrade, it would be possible, but out of realm of possibilities for scope of this demo.

Re: All Log Entries on same facility/priority/severity

Posted: Tue Dec 02, 2014 3:28 pm
by sreinhardt
How about for this testing, altering the default port of your other agents and instead using the default 5544 for cisco special filter? Alternatively you could set an iptables nat rule to redirect input from that IP to a different port without altering the cisco. Would either of these work for your test case?

Re: All Log Entries on same facility/priority/severity

Posted: Thu Dec 04, 2014 3:38 pm
by tmckay
Question: when i add filters/inputs to the Administration GUI, should the 3 files at /usr/local/nagioslogserver/logstash/etc/conf.d be changing to reflect those? If so, there has been no change to those since the box was built on Nov 17. Below are perms on those files. If those aren't correct files, what dir would i look for them? i'm getting an error on that filter you provided.

-rw-rw-r-- 1 apache apache 653 Nov 17 09:13 000_inputs.conf
-rw-rw-r-- 1 apache apache 978 Nov 17 09:13 500_filters.conf
-rw-rw-r-- 1 apache apache 493 Nov 17 09:13 999_outputs.conf

Re: All Log Entries on same facility/priority/severity

Posted: Thu Dec 04, 2014 5:05 pm
by sreinhardt
Yes it should, to verify, you have performed a global apply config after modifying those?

Re: All Log Entries on same facility/priority/severity

Posted: Thu Dec 04, 2014 5:17 pm
by tmckay
yes, that's correct. i'm including a screenshot of the inputs and filters i have applied, and the 2 .conf files that are on the system. They don't match.

Re: All Log Entries on same facility/priority/severity

Posted: Fri Dec 05, 2014 5:53 pm
by tmcdonald
Here are the permissions on several of our internal boxes, both stock installs and a dev revision:

Code: Select all

$ ls -l /usr/local/nagioslogserver/logstash/etc/conf.d
total 12
-rwxrwxr-x 1 nagios nagios  722 Nov 26 13:41 000_inputs.conf
-rwxrwxr-x 1 nagios nagios 1304 Nov 26 13:41 500_filters.conf
-rwxrwxr-x 1 nagios nagios  493 Nov 26 13:41 999_outputs.conf
Try a chmod 755 and chown nagios.nagios on those files and see if they get written.
All times are UTC-05:00
Page 3 of 5

Powered by phpBB® Forum Software © phpBB Limited