Oh, I also add a field "ciscoswitch" with a boolean value of 1, to make it
SUPER easy to create a cisco switch stream without making graylog ALSO
regex match. Now you can configure thresholds on your entire network log
stream.
On Friday, June 27, 2014 10:25:15 AM UTC-4, Scotty H wrote:
>
> I've been using logstash on another interface on the same box as graylog
> to capture a few different switch formats. If you can set up a separate IP
> or drop in another NIC on your server, this will work just fine for you. I
> don't think certain (or all?) cisco switches/IOS revisions can support
> changing the syslog destination port - hence why I used a separate
> interface.
>
> First, you need to configure your switches to use a specific log format
> that makes them all reasonably consistent:
>
>> service timestamps log datetime msec localtime
>> no logging message-counter syslog
>> logging origin-id hostname
>> logging facility syslog
>> logging <logserver IP address>
>
> Some IOS versions don't support some of these commands, and that's OK,
> don't panic - there were some logging format revisions around the 12.X
> versions of code and my logstash grok patterns should figure it all out for
> you. You should update your firmware anyways. I didn't want sequence
> numbers in my logs, so I strip them out - they seem redundant to me if I
> have a timestamp. You may want them. I leave that up to you to figure out
> if that's a problem. Google them, there are a few articles talking about
> this.
>
> Then, set up logstash and use a config similar to this one:
>
>
> input {
>> udp {
>> host =>
>> "YOUR-SEPARATE-INTERFACE-HERE-DONT-FORGET-TO-CHANGE-THIS"
>> port => 514
>> type => syslog
>> }
>> }
>>
>> filter {
>> grok {
>> patterns_dir => ["grokpatterns"]
>> match => [
>> #Nice, Lovely, Compliant, Configurable Cisco Switches
>> "message",
>> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
>> #Buggy configurable cisco switches
>> "message",
>> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}.?%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
>> # Unconfigurable Cisco Switches
>> "message",
>> "%{SYSLOG5424PRI}%{NUMBER:sequencenumber}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}"
>> ]
>> overwrite => [ "host" ]
>> remove_field => ["sequencenumber", "type", "version" ]
>> add_field => [
>> "ciscoswitch", "1",
>> "IP", "%{host}"
>> ]
>> }
>> if [hostname] {
>> if [IP] {
>> mutate {
>> replace => [ "host", "%{hostname}" ]
>> remove_field => [ "hostname"]
>> }
>> }
>> }
>> }
>>
>> output {
>> gelf {
>> host => "YOURGRAYLOGSERVERHERE-DONT-FORGET-TO-CHANGE-THIS"
>> port => 12201
>> }
>> }
>
>
>
> I did this before graylog started to have it's own method for doing this -
> so I didn't bother going down that route to figure out how to convert this.
> This ought to get you started at least. I'd prefer that - less moving
> parts, but the learning curve was too steep and too few examples exist.
>
>
> On Wednesday, May 28, 2014 7:24:41 AM UTC-4, Washington Gomez wrote:
>>
>> Hi, we have 60 x 2960 cisco switch.
>> I try send to an input called "plain text" that use udp instead of syslog
>> input option, and all the logs stay in one stream.
>> The problem now it is that only show my de IP address, not the hostname.
>>
>> The first : source name was when i send the logs to a syslog udp input ,
>> the 10.100.255.24 IP address is the switch when i change the input to a
>> plain text udp option.
>>
>> What is the best input option to handle cisco logs in graylog2?
>>
>> I update to the last version but the issue not solved.
>>
>>
>>
>> El miércoles, 7 de mayo de 2014 16:20:43 UTC-3, lennart escribió:
>>>
>>> Cisco is usually not sending valid RFC syslog and the parsing fails.
>>> What device is sending this? Can you post (full, non-parsed) example
>>> messages?
>>>
>>>
>>> On Wed, May 7, 2014 at 1:57 PM, Washington Gomez <[email protected]>
>>> wrote:
>>>
>>>>
>>>> <https://lh6.googleusercontent.com/-sMBx3Id-Yc4/U2ofgBLPJII/AAAAAAAATH8/pgn1EgGbctI/s1600/Dibujo.PNG>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "graylog2" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
