[Lognorm] liblognorm rules

cclark cclark at quadrantsec.com
Wed Sep 18 21:06:13 CEST 2013 

I've seen this happen before with Cisco devices.  Try this:  In your 
rule,  add a white space to the end.

So instead of this:

"rule=: %%SYS-5-CONFIG_I: Configured from console by console"

Try this:

"rule=: %%SYS-5-CONFIG_I: Configured from console by console "

Note the space at the end.



On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose   Contractor wrote:
> Hello,
>
> I'm testing rsyslog/liblognorm trying to parse syslog messages from
> cisco devices, but in some cases liblognorm is not matching syslog
> messages with corresponding rules.
>
> Please see next information and let me know if something is wrong.
>
> 
> ===================================================================================================
>
> # cat test.rulebase
> prefix=%date:date-rfc3164%
> rule=: %%SYS-5-CONFIG_I: Configured from console by console
> rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number%
> (%cisco.ip:ipv4%)
> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%
> on vty%-:number% (%cisco.ip:ipv4%)
> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%
> on console
>
> # lognormalizer -r test.rulebase
> Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console
> [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured
> from console by console" unparsed-data=""]
> Sep 18 13:09:02: %SYS-5-CONFIG_I: Configured from console by vty0
> (192.168.1.1)
> [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"]
> Sep 18 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on
> vty0 (192.168.1.2)
> [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18
> 13:15:29:"]
> Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console by user2 on
> console
> [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]
> 
> =========================================================================================================
>
>
> The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured 
> from
> console by console__"_) is not being parsed correctly.
>
> Output from lognormalizer in verbose mode:
>
> I'm working on a CentOS 6.4 virtual machine, and next packages have
> been installed:
>
> rsyslog-mmjsonparse-7.4.4-2.el6.x86_64
> rsyslog-debuginfo-7.4.4-2.el6.x86_64
> rsyslog-mysql-7.4.4-2.el6.x86_64
> rsyslog-elasticsearch-7.4.4-2.el6.x86_64
> rsyslog-udpspoof-7.4.4-2.el6.x86_64
> rsyslog-7.4.4-2.el6.x86_64
> rsyslog-mmnormalize-7.4.4-2.el6.x86_64
>
> Jose Castillo
> MicroTech ESS Contract
> Phone (410) 597-0194
> OTSO/DNE/NMB/NMST
> Jose.Castillo at ssa.gov [1]
>
>
>
> Links:
> ------
> [1] mailto:Jose.Castillo at ssa.gov

-- 
--
- Champ Clark III
   Quadrant Information Security [http://quadrantsec.com]
   o: 904.296.9100 x101
   o: 800.539.9357 x101

More information about the Lognorm mailing list