Mailing List Archive: question: decoding cisco syslog messages using pmciscoios

question: decoding cisco syslog messages using pmciscoios

rsyslog at lists

Mar 20, 2024, 8:12 AM

Post #1 of 7 (126 views)

Hi,

After installing rsyslog and rsyslog-pmciscoios, I'm able to load the
module without issues using the example present in the documentation.
This are the installed packages:
rsyslog.x86_64 8.2404.0.master-1710892962
rsyslog-pmciscoios.x86_64 8.2404.0.master-1710892962 @rsyslog_v8

We have experimenting with present.origin on and off, still observing
garbled text on the logfiles, example here:
https://pastebin.com/wQ8LbwfP

The device pushing the logs is a cisco switch c2960x running the
following ios: c2960x-universalk9-mz.152-7.E7.bin

The configuration on the switch is as follows:
logging trap notifications
logging origin-id hostname
logging facility syslog
logging source-interface Vlan275
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
logging host 10.150.0.7 transport tcp port 20514
logging host 192.168.190.226 transport tcp port 20514

Any help would be greatly appreciated.

Thank you,
Pedro Caetano
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 20, 2024, 12:52 PM

Post #2 of 7 (123 views)

please log some messages with the template RSYSLOG_DebugFormat so we can see
exactly what is being sent, along with all the variables that it's being parsed
into. (and go ahead and send those in the email rather than posting to pastebin)

David Lang

On Wed, 20 Mar 2024, Pedro Caetano via rsyslog wrote:

> Date: Wed, 20 Mar 2024 15:12:11 +0000
> From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
> Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
>
> Hi,
>
> After installing rsyslog and rsyslog-pmciscoios, I'm able to load the
> module without issues using the example present in the documentation.
> This are the installed packages:
> rsyslog.x86_64 8.2404.0.master-1710892962
> rsyslog-pmciscoios.x86_64 8.2404.0.master-1710892962 @rsyslog_v8
>
>
> We have experimenting with present.origin on and off, still observing
> garbled text on the logfiles, example here:
> https://pastebin.com/wQ8LbwfP
>
> The device pushing the logs is a cisco switch c2960x running the
> following ios: c2960x-universalk9-mz.152-7.E7.bin
>
> The configuration on the switch is as follows:
> logging trap notifications
> logging origin-id hostname
> logging facility syslog
> logging source-interface Vlan275
> logging snmp-trap emergencies
> logging snmp-trap alerts
> logging snmp-trap critical
> logging snmp-trap errors
> logging snmp-trap warnings
> logging host 10.150.0.7 transport tcp port 20514
> logging host 192.168.190.226 transport tcp port 20514
>
> Any help would be greatly appreciated.
>
>
> Thank you,
> Pedro Caetano
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 21, 2024, 6:29 AM

Post #3 of 7 (115 views)

ok, the rawmsg field is telling us that the body of the message sent by the
device is a bunch of nonsense (control characters with a lot of nulls)

so the problem is on the sending side, not on the rsyslog side, look at your
options there..

David Lang

On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:

> Date: Thu, 21 Mar 2024 12:34:43 +0000
> From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
> Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
>
> Hi,
>
> This is the output generated:
>
> Debug line with all properties:
> FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> '172.26.0.31', PRI: 43,
> syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> #017???#034#003H #017?#001#001L#001?#000#000?#0
> 34#003?
> #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> #000?#034#003H #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> $!:
> $.:
> $/:
>
>
>
>
> Below is the configuration in place:
>
> $DebugFile /var/log/rsyslogdebug.log
> $DebugLevel 2
>
> template(name="RSYSLOG_DebugFormat" type="list") {
> constant(value="Debug line with all properties:\nFROMHOST: '")
> property(name="fromhost")
> constant(value="', fromhost-ip: '")
> property(name="fromhost-ip")
> constant(value="', HOSTNAME: '")
> property(name="hostname")
> constant(value="', PRI: '")
> property(name="pri")
> constant(value=",\nsyslogtag '")
> property(name="syslogtag")
> constant(value="', programname: '")
> property(name="programname")
> constant(value="', APP-NAME: '")
> property(name="app-name")
> constant(value="', PROCID: '")
> property(name="procid")
> constant(value="', MSGID: '")
> property(name="msgid")
> constant(value="',\nTIMESTAMP: '")
> property(name="timereported")
> constant(value="', STRUCTURED-DATA: '")
> property(name="structured-data")
> constant(value="',\nmsg: '")
> property(name="msg")
> constant(value="'\nescaped msg: '")
> property(name="msg" controlcharacters="drop")
> constant(value="'\ninputname: ")
> property(name="inputname")
> constant(value=" rawmsg: '")
> property(name="rawmsg")
> constant(value="'\n$!:")
> property(name="$!")
> constant(value="\n$.:")
> property(name="$.")
> constant(value="\n$/:")
> property(name="$/")
> constant(value="\n\n")
> }
>
>
>
> #Modules
> module(load="imtcp")
> module(load="pmciscoios")
>
> #Inputs
> input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
>
> #Parsers
> parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
>
>
> #Rules
> ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> }
>
> Best,
> Pedro
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 21, 2024, 11:07 AM

Post #4 of 7 (111 views)

I'll strip the configuration to the bare minimum and report back.

Thank you for your patience.

Best,
Pedro

On Thu, Mar 21, 2024 at 1:29?PM David Lang <david@lang.hm> wrote:
>
> ok, the rawmsg field is telling us that the body of the message sent by the
> device is a bunch of nonsense (control characters with a lot of nulls)
>
> so the problem is on the sending side, not on the rsyslog side, look at your
> options there..
>
> David Lang
>
> On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
>
> > Date: Thu, 21 Mar 2024 12:34:43 +0000
> > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
> > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
> >
> > Hi,
> >
> > This is the output generated:
> >
> > Debug line with all properties:
> > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> > '172.26.0.31', PRI: 43,
> > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> > #017???#034#003H #017?#001#001L#001?#000#000?#0
> > 34#003?
> > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> > #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> > #000?#034#003H #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> > $!:
> > $.:
> > $/:
> >
> >
> >
> >
> > Below is the configuration in place:
> >
> > $DebugFile /var/log/rsyslogdebug.log
> > $DebugLevel 2
> >
> > template(name="RSYSLOG_DebugFormat" type="list") {
> > constant(value="Debug line with all properties:\nFROMHOST: '")
> > property(name="fromhost")
> > constant(value="', fromhost-ip: '")
> > property(name="fromhost-ip")
> > constant(value="', HOSTNAME: '")
> > property(name="hostname")
> > constant(value="', PRI: '")
> > property(name="pri")
> > constant(value=",\nsyslogtag '")
> > property(name="syslogtag")
> > constant(value="', programname: '")
> > property(name="programname")
> > constant(value="', APP-NAME: '")
> > property(name="app-name")
> > constant(value="', PROCID: '")
> > property(name="procid")
> > constant(value="', MSGID: '")
> > property(name="msgid")
> > constant(value="',\nTIMESTAMP: '")
> > property(name="timereported")
> > constant(value="', STRUCTURED-DATA: '")
> > property(name="structured-data")
> > constant(value="',\nmsg: '")
> > property(name="msg")
> > constant(value="'\nescaped msg: '")
> > property(name="msg" controlcharacters="drop")
> > constant(value="'\ninputname: ")
> > property(name="inputname")
> > constant(value=" rawmsg: '")
> > property(name="rawmsg")
> > constant(value="'\n$!:")
> > property(name="$!")
> > constant(value="\n$.:")
> > property(name="$.")
> > constant(value="\n$/:")
> > property(name="$/")
> > constant(value="\n\n")
> > }
> >
> >
> >
> > #Modules
> > module(load="imtcp")
> > module(load="pmciscoios")
> >
> > #Inputs
> > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
> >
> > #Parsers
> > parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
> >
> >
> > #Rules
> > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> > }
> >
> > Best,
> > Pedro
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 22, 2024, 2:01 PM

Post #5 of 7 (110 views)

Starting from a minimal configuration on the switch solved the issue.

Thank you for your time and patience.

Best,
Pedro Caetano

On Thu, Mar 21, 2024 at 6:07?PM Pedro Caetano
<pedrocaetano@binaryflows.com> wrote:
>
> I'll strip the configuration to the bare minimum and report back.
>
> Thank you for your patience.
>
> Best,
> Pedro
>
> On Thu, Mar 21, 2024 at 1:29?PM David Lang <david@lang.hm> wrote:
> >
> > ok, the rawmsg field is telling us that the body of the message sent by the
> > device is a bunch of nonsense (control characters with a lot of nulls)
> >
> > so the problem is on the sending side, not on the rsyslog side, look at your
> > options there..
> >
> > David Lang
> >
> > On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
> >
> > > Date: Thu, 21 Mar 2024 12:34:43 +0000
> > > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> > > To: rsyslog@lists.adiscon.com
> > > Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
> > > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
> > >
> > > Hi,
> > >
> > > This is the output generated:
> > >
> > > Debug line with all properties:
> > > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> > > '172.26.0.31', PRI: 43,
> > > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> > > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> > > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> > > #017???#034#003H #017?#001#001L#001?#000#000?#0
> > > 34#003?
> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> > > #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> > > #000?#034#003H #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> > > $!:
> > > $.:
> > > $/:
> > >
> > >
> > >
> > >
> > > Below is the configuration in place:
> > >
> > > $DebugFile /var/log/rsyslogdebug.log
> > > $DebugLevel 2
> > >
> > > template(name="RSYSLOG_DebugFormat" type="list") {
> > > constant(value="Debug line with all properties:\nFROMHOST: '")
> > > property(name="fromhost")
> > > constant(value="', fromhost-ip: '")
> > > property(name="fromhost-ip")
> > > constant(value="', HOSTNAME: '")
> > > property(name="hostname")
> > > constant(value="', PRI: '")
> > > property(name="pri")
> > > constant(value=",\nsyslogtag '")
> > > property(name="syslogtag")
> > > constant(value="', programname: '")
> > > property(name="programname")
> > > constant(value="', APP-NAME: '")
> > > property(name="app-name")
> > > constant(value="', PROCID: '")
> > > property(name="procid")
> > > constant(value="', MSGID: '")
> > > property(name="msgid")
> > > constant(value="',\nTIMESTAMP: '")
> > > property(name="timereported")
> > > constant(value="', STRUCTURED-DATA: '")
> > > property(name="structured-data")
> > > constant(value="',\nmsg: '")
> > > property(name="msg")
> > > constant(value="'\nescaped msg: '")
> > > property(name="msg" controlcharacters="drop")
> > > constant(value="'\ninputname: ")
> > > property(name="inputname")
> > > constant(value=" rawmsg: '")
> > > property(name="rawmsg")
> > > constant(value="'\n$!:")
> > > property(name="$!")
> > > constant(value="\n$.:")
> > > property(name="$.")
> > > constant(value="\n$/:")
> > > property(name="$/")
> > > constant(value="\n\n")
> > > }
> > >
> > >
> > >
> > > #Modules
> > > module(load="imtcp")
> > > module(load="pmciscoios")
> > >
> > > #Inputs
> > > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
> > >
> > > #Parsers
> > > parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
> > >
> > >
> > > #Rules
> > > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> > > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> > > }
> > >
> > > Best,
> > > Pedro
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 22, 2024, 2:14 PM

Post #6 of 7 (110 views)

good to hear, If you can identify what in the logging configuration was
different that caused this problem, please post it to the list so that others
can learn from it.

David Lang

On Fri, 22 Mar 2024, Pedro Caetano via rsyslog wrote:

> Starting from a minimal configuration on the switch solved the issue.
>
> Thank you for your time and patience.
>
> Best,
> Pedro Caetano
>
> On Thu, Mar 21, 2024 at 6:07?PM Pedro Caetano
> <pedrocaetano@binaryflows.com> wrote:
>>
>> I'll strip the configuration to the bare minimum and report back.
>>
>> Thank you for your patience.
>>
>> Best,
>> Pedro
>>
>> On Thu, Mar 21, 2024 at 1:29?PM David Lang <david@lang.hm> wrote:
>> >
>> > ok, the rawmsg field is telling us that the body of the message sent by the
>> > device is a bunch of nonsense (control characters with a lot of nulls)
>> >
>> > so the problem is on the sending side, not on the rsyslog side, look at your
>> > options there..
>> >
>> > David Lang
>> >
>> > On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
>> >
>> > > Date: Thu, 21 Mar 2024 12:34:43 +0000
>> > > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
>> > > To: rsyslog@lists.adiscon.com
>> > > Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
>> > > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
>> > >
>> > > Hi,
>> > >
>> > > This is the output generated:
>> > >
>> > > Debug line with all properties:
>> > > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
>> > > '172.26.0.31', PRI: 43,
>> > > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
>> > > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
>> > > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
>> > > #017???#034#003H #017?#001#001L#001?#000#000?#0
>> > > 34#003?
>> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
>> > > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
>> > > #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
>> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
>> > > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
>> > > #000?#034#003H #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
>> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
>> > > $!:
>> > > $.:
>> > > $/:
>> > >
>> > >
>> > >
>> > >
>> > > Below is the configuration in place:
>> > >
>> > > $DebugFile /var/log/rsyslogdebug.log
>> > > $DebugLevel 2
>> > >
>> > > template(name="RSYSLOG_DebugFormat" type="list") {
>> > > constant(value="Debug line with all properties:\nFROMHOST: '")
>> > > property(name="fromhost")
>> > > constant(value="', fromhost-ip: '")
>> > > property(name="fromhost-ip")
>> > > constant(value="', HOSTNAME: '")
>> > > property(name="hostname")
>> > > constant(value="', PRI: '")
>> > > property(name="pri")
>> > > constant(value=",\nsyslogtag '")
>> > > property(name="syslogtag")
>> > > constant(value="', programname: '")
>> > > property(name="programname")
>> > > constant(value="', APP-NAME: '")
>> > > property(name="app-name")
>> > > constant(value="', PROCID: '")
>> > > property(name="procid")
>> > > constant(value="', MSGID: '")
>> > > property(name="msgid")
>> > > constant(value="',\nTIMESTAMP: '")
>> > > property(name="timereported")
>> > > constant(value="', STRUCTURED-DATA: '")
>> > > property(name="structured-data")
>> > > constant(value="',\nmsg: '")
>> > > property(name="msg")
>> > > constant(value="'\nescaped msg: '")
>> > > property(name="msg" controlcharacters="drop")
>> > > constant(value="'\ninputname: ")
>> > > property(name="inputname")
>> > > constant(value=" rawmsg: '")
>> > > property(name="rawmsg")
>> > > constant(value="'\n$!:")
>> > > property(name="$!")
>> > > constant(value="\n$.:")
>> > > property(name="$.")
>> > > constant(value="\n$/:")
>> > > property(name="$/")
>> > > constant(value="\n\n")
>> > > }
>> > >
>> > >
>> > >
>> > > #Modules
>> > > module(load="imtcp")
>> > > module(load="pmciscoios")
>> > >
>> > > #Inputs
>> > > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
>> > >
>> > > #Parsers
>> > > parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
>> > >
>> > >
>> > > #Rules
>> > > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
>> > > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
>> > > }
>> > >
>> > > Best,
>> > > Pedro
>> > > _______________________________________________
>> > > rsyslog mailing list
>> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: question: decoding cisco syslog messages using pmciscoios [ In reply to ]

rsyslog at lists

Mar 26, 2024, 7:01 AM

Post #7 of 7 (74 views)

Hi David, all,

Basically i redid the logging configuration with the bare minimum.
In my case:
logging origin-id hostname
logging facility syslog
logging host 10.150.0.7

I suspect that specifying multiple log levels to be forwarded, renders
this behavior.

Best,
Pedro

On Fri, Mar 22, 2024 at 9:14?PM David Lang <david@lang.hm> wrote:
>
> good to hear, If you can identify what in the logging configuration was
> different that caused this problem, please post it to the list so that others
> can learn from it.
>
> David Lang
>
> On Fri, 22 Mar 2024, Pedro Caetano via rsyslog wrote:
>
> > Starting from a minimal configuration on the switch solved the issue.
> >
> > Thank you for your time and patience.
> >
> > Best,
> > Pedro Caetano
> >
> > On Thu, Mar 21, 2024 at 6:07?PM Pedro Caetano
> > <pedrocaetano@binaryflows.com> wrote:
> >>
> >> I'll strip the configuration to the bare minimum and report back.
> >>
> >> Thank you for your patience.
> >>
> >> Best,
> >> Pedro
> >>
> >> On Thu, Mar 21, 2024 at 1:29?PM David Lang <david@lang.hm> wrote:
> >> >
> >> > ok, the rawmsg field is telling us that the body of the message sent by the
> >> > device is a bunch of nonsense (control characters with a lot of nulls)
> >> >
> >> > so the problem is on the sending side, not on the rsyslog side, look at your
> >> > options there..
> >> >
> >> > David Lang
> >> >
> >> > On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
> >> >
> >> > > Date: Thu, 21 Mar 2024 12:34:43 +0000
> >> > > From: Pedro Caetano via rsyslog <rsyslog@lists.adiscon.com>
> >> > > To: rsyslog@lists.adiscon.com
> >> > > Cc: Pedro Caetano <pedrocaetano@binaryflows.com>
> >> > > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
> >> > >
> >> > > Hi,
> >> > >
> >> > > This is the output generated:
> >> > >
> >> > > Debug line with all properties:
> >> > > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> >> > > '172.26.0.31', PRI: 43,
> >> > > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> >> > > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> >> > > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> >> > > #017???#034#003H #017?#001#001L#001?#000#000?#0
> >> > > 34#003?
> >> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> >> > > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000?#034#003H
> >> > > #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> >> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> >> > > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> >> > > #000?#034#003H #017???#034#003H #017?#001#001L#001?#000#000?#034#003?
> >> > > #010?#001#001K#005?#000#000#001)#000#000?#001#000#000#000#000#000#000#000#000??#000#000#000#000???#000#000#000#001#000#017#013?3#000#000#000#016#000#003#000#036#000#023#005?#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> >> > > $!:
> >> > > $.:
> >> > > $/:
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Below is the configuration in place:
> >> > >
> >> > > $DebugFile /var/log/rsyslogdebug.log
> >> > > $DebugLevel 2
> >> > >
> >> > > template(name="RSYSLOG_DebugFormat" type="list") {
> >> > > constant(value="Debug line with all properties:\nFROMHOST: '")
> >> > > property(name="fromhost")
> >> > > constant(value="', fromhost-ip: '")
> >> > > property(name="fromhost-ip")
> >> > > constant(value="', HOSTNAME: '")
> >> > > property(name="hostname")
> >> > > constant(value="', PRI: '")
> >> > > property(name="pri")
> >> > > constant(value=",\nsyslogtag '")
> >> > > property(name="syslogtag")
> >> > > constant(value="', programname: '")
> >> > > property(name="programname")
> >> > > constant(value="', APP-NAME: '")
> >> > > property(name="app-name")
> >> > > constant(value="', PROCID: '")
> >> > > property(name="procid")
> >> > > constant(value="', MSGID: '")
> >> > > property(name="msgid")
> >> > > constant(value="',\nTIMESTAMP: '")
> >> > > property(name="timereported")
> >> > > constant(value="', STRUCTURED-DATA: '")
> >> > > property(name="structured-data")
> >> > > constant(value="',\nmsg: '")
> >> > > property(name="msg")
> >> > > constant(value="'\nescaped msg: '")
> >> > > property(name="msg" controlcharacters="drop")
> >> > > constant(value="'\ninputname: ")
> >> > > property(name="inputname")
> >> > > constant(value=" rawmsg: '")
> >> > > property(name="rawmsg")
> >> > > constant(value="'\n$!:")
> >> > > property(name="$!")
> >> > > constant(value="\n$.:")
> >> > > property(name="$.")
> >> > > constant(value="\n$/:")
> >> > > property(name="$/")
> >> > > constant(value="\n\n")
> >> > > }
> >> > >
> >> > >
> >> > >
> >> > > #Modules
> >> > > module(load="imtcp")
> >> > > module(load="pmciscoios")
> >> > >
> >> > > #Inputs
> >> > > input(type="imtcp" port="20514" ruleset="rsyslogswitchs")
> >> > >
> >> > > #Parsers
> >> > > parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
> >> > >
> >> > >
> >> > > #Rules
> >> > > ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
> >> > > *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
> >> > > }
> >> > >
> >> > > Best,
> >> > > Pedro
> >> > > _______________________________________________
> >> > > rsyslog mailing list
> >> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > > http://www.rsyslog.com/professional-services/
> >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.