some links:
http://grokdebug.herokuapp.com/discover?#
https://groups.google.com/forum/#!searchin/logstash-users/cisco$20swich/logstash-users/t28EAx2YbMA/ulYaTbXJE-sJ
http://www.graylog2.org/extractors
On Friday, June 27, 2014 10:29:58 AM UTC-4, Scotty H wrote:
>
> Oh, I also add a field "ciscoswitch" with a boolean value of 1, to make it
> SUPER easy to create a cisco switch stream without making graylog ALSO
> regex match. Now you can configure thresholds on your entire network log
> stream.
>
> On Friday, June 27, 2014 10:25:15 AM UTC-4, Scotty H wrote:
>>
>> I've been using logstash on another interface on the same box as graylog
>> to capture a few different switch formats. If you can set up a separate IP
>> or drop in another NIC on your server, this will work just fine for you. I
>> don't think certain (or all?) cisco switches/IOS revisions can support
>> changing the syslog destination port - hence why I used a separate
>> interface.
>>
>> First, you need to configure your switches to use a specific log format
>> that makes them all reasonably consistent:
>>
>>> service timestamps log datetime msec localtime
>>> no logging message-counter syslog
>>> logging origin-id hostname
>>> logging facility syslog
>>> logging <logserver IP address>
>>
>> Some IOS versions don't support some of these commands, and that's OK,
>> don't panic - there were some logging format revisions around the 12.X
>> versions of code and my logstash grok patterns should figure it all out for
>> you. You should update your firmware anyways. I didn't want sequence
>> numbers in my logs, so I strip them out - they seem redundant to me if I
>> have a timestamp. You may want them. I leave that up to you to figure out
>> if that's a problem. Google them, there are a few articles talking about
>> this.
>>
>> Then, set up logstash and use a config similar to this one:
>>
>>
>> input {
>>> udp {
>>> host =>
>>> "YOUR-SEPARATE-INTERFACE-HERE-DONT-FORGET-TO-CHANGE-THIS"
>>> port => 514
>>> type => syslog
>>> }
>>> }
>>>
>>> filter {
>>> grok {
>>> patterns_dir => ["grokpatterns"]
>>> match => [
>>> #Nice, Lovely, Compliant, Configurable Cisco Switches
>>> "message",
>>> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
>>> #Buggy configurable cisco switches
>>> "message",
>>> "%{SYSLOG5424PRI}:%{SPACE}%{USERNAME:hostname}:%{SPACE}.?%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}",
>>> # Unconfigurable Cisco Switches
>>> "message",
>>> "%{SYSLOG5424PRI}%{NUMBER:sequencenumber}:%{SPACE}%{CISCOTIMESTAMP}:%{SPACE}%{CISCOMNEMONIC:category}:%{SPACE}%{GREEDYDATA:logmessage}"
>>> ]
>>> overwrite => [ "host" ]
>>> remove_field => ["sequencenumber", "type", "version" ]
>>> add_field => [
>>> "ciscoswitch", "1",
>>> "IP", "%{host}"
>>> ]
>>> }
>>> if [hostname] {
>>> if [IP] {
>>> mutate {
>>> replace => [ "host", "%{hostname}" ]
>>> remove_field => [ "hostname"]
>>> }
>>> }
>>> }
>>> }
>>>
>>> output {
>>> gelf {
>>> host => "YOURGRAYLOGSERVERHERE-DONT-FORGET-TO-CHANGE-THIS"
>>> port => 12201
>>> }
>>> }
>>
>>
>>
>> I did this before graylog started to have it's own method for doing this
>> - so I didn't bother going down that route to figure out how to convert
>> this. This ought to get you started at least. I'd prefer that - less moving
>> parts, but the learning curve was too steep and too few examples exist.
>>
>>
>> On Wednesday, May 28, 2014 7:24:41 AM UTC-4, Washington Gomez wrote:
>>>
>>> Hi, we have 60 x 2960 cisco switch.
>>> I try send to an input called "plain text" that use udp instead of
>>> syslog input option, and all the logs stay in one stream.
>>> The problem now it is that only show my de IP address, not the hostname.
>>>
>>> The first : source name was when i send the logs to a syslog udp input ,
>>> the 10.100.255.24 IP address is the switch when i change the input to a
>>> plain text udp option.
>>>
>>> What is the best input option to handle cisco logs in graylog2?
>>>
>>> I update to the last version but the issue not solved.
>>>
>>>
>>>
>>> El miércoles, 7 de mayo de 2014 16:20:43 UTC-3, lennart escribió:
>>>>
>>>> Cisco is usually not sending valid RFC syslog and the parsing fails.
>>>> What device is sending this? Can you post (full, non-parsed) example
>>>> messages?
>>>>
>>>>
>>>> On Wed, May 7, 2014 at 1:57 PM, Washington Gomez <[email protected]>
>>>> wrote:
>>>>
>>>>>
>>>>> <https://lh6.googleusercontent.com/-sMBx3Id-Yc4/U2ofgBLPJII/AAAAAAAATH8/pgn1EgGbctI/s1600/Dibujo.PNG>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "graylog2" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
