File: //usr/share/syslog-ng/include/scl/cisco/plugin.conf
#############################################################################
# Copyright (c) 2017 Balabit
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################
#
# logging timestamps
# logging timezone
# logging sequence-id
# logging origin-id
# logging fraction of a second
#
#
# <pri>(sequence: )?(origin: )?(timestamp? timezone?: )?%msg
#<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console
#<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console
#<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
#
# parses a cisco timestamp with explicit date-parser
# It ignores timezone information
#
block parser cisco-timestamp-parser(template()) {
channel {
filter {
match('^\*?([A-Za-z]{3} [0-9 ]\d (\d{4} )?\d{2}:\d{2}:\d{2}(\.\d{3})?( (AM|PM))?)' template(`template`) flags(store-matches));
};
parser {
date-parser(format('%b %d %I:%M:%S %p.%f',
'%b %d %I:%M:%S %p',
'%b %d %H:%M:%S.%f',
'%b %d %H:%M:%S',
'%b %d %Y %H:%M:%S.%f',
'%b %d %Y %H:%M:%S')
template("$1"));
};
};
};
block parser cisco-triplet-parser(template() prefix()) {
channel {
if {
parser {
csv-parser(delimiters(chars('-')) template(`template`)
columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic')
flags(drop-invalid));
};
} else {
parser {
csv-parser(delimiters(chars('-')) template(`template`)
columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic')
flags(drop-invalid));
};
rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); };
};
};
};
block parser cisco-parser(prefix(".cisco.")) {
channel {
parser {
# split msg and header right before the '%', Cisco messages may
# have a variable number of ': ' terminated values
csv-parser(delimiters(chars('') strings(': %'))
columns('1', '2', '3') flags(greedy, drop-invalid));
csv-parser(delimiters(chars(':')) template("$2") columns('3'));
cisco-triplet-parser(template("$3") prefix(`prefix`));
};
rewrite {
set('%$2', value("MSG"));
# drop "<pri>seqno: " if present
subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1'));
};
if {
parser { cisco-timestamp-parser(template("$1")); };
} elif {
filter { match("^(?'HOST'[^:]+): (.*)" template('$1') flags(store-matches) type(pcre)); };
parser { cisco-timestamp-parser(template("$2")); };
} elif {
filter { match("^(?'HOST'[^:]+)$" template('$1') flags(store-matches) type(pcre)); };
} else {
filter { match("^$" template('$1') flags(store-matches) type(pcre)); };
};
};
};
application cisco[syslog-raw] {
parser { cisco-parser(); };
};