I've been using logstash on another interface on the same box as graylog to
capture a few different switch formats. If you can set up a separate IP or
drop in another NIC on your server, this will work just fine for you. I
don't think certain (or all?) cisco switches/IOS revisions can support
changing the syslog destination port - hence why I used a separate
interface.
First, you need to configure your switches to use a specific log format
that makes them all reasonably consistent:
> service timestamps log datetime msec localtime
> no logging message-counter syslog
> logging origin-id hostname
> logging facility syslog
> logging <logserver IP address>
Some IOS versions don't support some of these commands, and that's OK,
don't panic - there were some logging format revisions around the 12.X
versions of code and my logstash grok patterns should figure it all out for
you. You should update your firmware anyways. I didn't want sequence
numbers in my logs, so I strip them out - they seem redundant to me if I
have a timestamp. You may want them. I leave that up to you to figure out
if that's a problem. Google them, there are a few articles talking about
this.
Then, set up logstash and use a config similar to this one:
input {
> udp {
> host =>
> "YOUR-SEPARATE-INTERFACE-HERE-DONT-FORGET-TO-CHANGE-THIS"
> port => 514
> type => syslog
> }
> }
>
> filter {
> grok {
> patterns_dir => ["grokpatterns"]
> match => [
> #Nice, Lovely, Compliant, Configurable Cisco Switches
> "message",
> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
> #Buggy configurable cisco switches
> "message",
> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}.?%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
> # Unconfigurable Cisco Switches
> "message",
> "%{SYSLOG5424PRI}%{NUMBER:sequencenumber}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}"
> ]
> overwrite => [ "host" ]
> remove_field => ["sequencenumber", "type", "version" ]
> add_field => [
> "ciscoswitch", "1",
> "IP", "%{host}"
> ]
> }
> if [hostname] {
> if [IP] {
> mutate {
> replace => [ "host", "%{hostname}" ]
> remove_field => [ "hostname"]
> }
> }
> }
> }
>
> output {
> gelf {
> host => "YOURGRAYLOGSERVERHERE-DONT-FORGET-TO-CHANGE-THIS"
> port => 12201
> }
> }
I did this before graylog started to have it's own method for doing this -
so I didn't bother going down that route to figure out how to convert this.
This ought to get you started at least. I'd prefer that - less moving
parts, but the learning curve was too steep and too few examples exist.
On Wednesday, May 28, 2014 7:24:41 AM UTC-4, Washington Gomez wrote:
>
> Hi, we have 60 x 2960 cisco switch.
> I try send to an input called "plain text" that use udp instead of syslog
> input option, and all the logs stay in one stream.
> The problem now it is that only show my de IP address, not the hostname.
>
> The first : source name was when i send the logs to a syslog udp input ,
> the 10.100.255.24 IP address is the switch when i change the input to a
> plain text udp option.
>
> What is the best input option to handle cisco logs in graylog2?
>
> I update to the last version but the issue not solved.
>
>
>
> El miércoles, 7 de mayo de 2014 16:20:43 UTC-3, lennart escribió:
>>
>> Cisco is usually not sending valid RFC syslog and the parsing fails. What
>> device is sending this? Can you post (full, non-parsed) example messages?
>>
>>
>> On Wed, May 7, 2014 at 1:57 PM, Washington Gomez <[email protected]>
>> wrote:
>>
>>>
>>> <https://lh6.googleusercontent.com/-sMBx3Id-Yc4/U2ofgBLPJII/AAAAAAAATH8/pgn1EgGbctI/s1600/Dibujo.PNG>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "graylog2" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
