It could be that there is more than that different about this message, we’ll see in the palindromicity issue.
On October 31, 2018 at 00:26:37, Muhammed Irshad ([email protected]) wrote: Got it. I have raised an issue <https://github.com/palindromicity/simple-syslog-5424/issues/19> in the parser page. As a work around to test the syslog parser with this message could you please add the '-' in place of structured data in the message ? I tried few combination and nothing worked. May be I am adding in wrong place. On Wed, Oct 31, 2018 at 1:40 AM Otto Fowler <[email protected]> wrote: > https://tools.ietf.org/html/rfc5424#section-6.3 > > > On October 30, 2018 at 15:03:20, Muhammed Irshad ([email protected]) > wrote: > > Thanks Otto. BasicISEParser worked well. Could you please elaborate more > on structured data ? Is it something in header or message field in syslog > message in my example ? Just to under stand the working of syslogparser > library in detail to extend in future. > Also can I filter fields when using BasicISEParser ? I know we can filter > message with stellar but can we filter fields ? Like index only interested > fields ? > > On Tue, Oct 30, 2018 at 11:29 PM Otto Fowler <[email protected]> > wrote: > >> Per the spec which this is written to, if you don’t have structured data, >> you need to have a ‘-‘ marker. So this is not valid 5424. That is from a >> cursory look. >> Metron has a dedicated ISE parser, have you tried that? >> >> If you would like to have the parser have a setting to optionally accept >> missing structured data, you can open an issue @ >> https://github.com/palindromicity/simple-syslog-5424/issues >> If/when resolved there, a jira to pick up the change in metron can be >> logged. >> >> >> >> On October 30, 2018 at 13:38:39, Muhammed Irshad ([email protected]) >> wrote: >> >> I am trying to test existing Syslog5424Parser with the logs from my >> cisco:ise log data. I am getting the below error message under >> MessageParserResult. Is the below format supported by existing syslog >> parser ? Or can I configure it to support this format ? >> >> Message sample : >> <182>1 2018-10-05T08:46:06+00:00 lxapp1492-admin.in.mycompany.com >> CISE_Profiler 0038547765 1 0 2018-10-05 18:46:06.972 +10:00 0538115228 >> 80002 INFO Profiler: Profiler EndPoint profiling event occurred, >> ConfigVersionId=267, OperatingSystem=FreeBSD 10.0-CURRENT (accuracy 92%), >> EndpointCertainityMetric=160, EndpointIPAddress=192.168.88.55, >> EndpointMacAddress=F8:0D:60:FF:86:E5, EndpointMatchedPolicy=Canon-Printer, >> >> Error message : >> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:93 >> no viable alternative at input '1' >> >> -- >> Muhammed Irshad K T >> Senior Software Engineer >> +919447946359 >> [email protected] >> Skype : muhammed.irshad.k.t >> >> > > -- > Muhammed Irshad K T > Senior Software Engineer > +919447946359 > [email protected] > Skype : muhammed.irshad.k.t > > -- Muhammed Irshad K T Senior Software Engineer +919447946359 [email protected] Skype : muhammed.irshad.k.t
