Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

uBR10012 issues

https://support.nagios.com/forum/viewtopic.php?t=42397

Page 1 of 1

uBR10012 issues

Posted: Thu Feb 09, 2017 6:37 pm
by jasonbr
Hello,

I'm trying to use the Log Server with Cisco uBR10012, but the logs are not sent/receive like I expect.

Example:
In the Log Server I see this (all in the same message):

IP 10.60.19.112 already assigned to MAC=0014.04d8.2e30 Interface Cable5/0/4 SID 4674 <188>1838258: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:14.737 UTC: %UBR10000-4-OVERLAPIP_CM: Interface Cable5/0/4, IP address 10.60.19.112 assigned to CM 0014.04d8.2e30 has been reassigned.<189>1838259: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:16.693 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 169.254.254.34 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded<189>1838260: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:16.901 UTC: %SSH-5-SSH2_USERAUTH: User 'viewconf' authentication for SSH2 Session from 169.254.254.34 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded<189>1838261: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:17.001 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 169.254.254.34 (tty = 0) for user 'viewconf' using crypto cipher 'aes128-cbc', hmac 'hmac-md5' closed<190>1838262: [syslog@9 s_id="PE-ALAJUELA-01:5551"]: Feb 6 13:10:59.810 UTC: %UBR10000-6-BADIPASSIGNMENT: DHCPOFFER dropped : Interface Cable5/0/4 Mac 0014.04d8.2e30 SID 4674 L3_Interface Bundle1.102

And only when the log in the uBR begin with the word "IP" or "SID" (without timestamp) I see the log (as above) en the Log Server.

I'm using Cisco RFGW10 and Cisco 7600 router and work fine, only the uBR have problem.

Sorry for my english :(

Regards, Jason

Re: uBR10012 issues

Posted: Fri Feb 10, 2017 11:26 am
by mcapra
This might be an issue with the delimiter being used by the particular device. Are you able to send over some raw sample log files (assuming they exist)?

You might try to use the multiline codec as a hacky work-around assuming all messages start with the pri like <213>. The input rule might look like this:

Code: Select all

syslog {
    type => 'syslog'
    port => 5544
    codec => multiline
        {
            pattern => '<'
            negate => true
            what => previous                
        }
}
Other than that, you could try sending the data to the default raw tcp/udp input we use on port 2056. It might shed some light on what's causing this if the message is not first being passed through the syslog filter.

Re: uBR10012 issues

Posted: Fri Feb 10, 2017 4:17 pm
by jasonbr
Hello mcapra,

Thank you very much. The change in the input rule worked and I immediately started to see de logs on the Log Server, but sometimes more than one log is received in the same message.

I'll probe some changes in the next days.

Regards

Re: uBR10012 issues

Posted: Mon Feb 13, 2017 11:29 am
by rkennedy
I would look at a tcpdump to see if you can verify what end the data is being duplicated on. I haven't seen this issue with NLS before, but I have seen rsyslog forwarding over twice. Let us know if you have any further questions.

Re: uBR10012 issues

Posted: Wed Mar 01, 2017 2:27 pm
by tmcdonald
Just checking in since we have not heard from you in a while. Did @rkennedy's post clear things up or has the issue otherwise been resolved?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited