SHARE
TWEET

cisco plugin.conf

a guest Feb 28th, 2019 125 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #############################################################################
  2. # Copyright (c) 2017 Balabit
  3. #
  4. # This program is free software; you can redistribute it and/or modify it
  5. # under the terms of the GNU General Public License version 2 as published
  6. # by the Free Software Foundation, or (at your option) any later version.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11. # GNU General Public License for more details.
  12. #
  13. # You should have received a copy of the GNU General Public License
  14. # along with this program; if not, write to the Free Software
  15. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  16. #
  17. # As an additional exemption you are allowed to compile & link against the
  18. # OpenSSL libraries as published by the OpenSSL project. See the file
  19. # COPYING for details.
  20. #
  21. #############################################################################
  22.  
  23. #
  24. # logging timestamps
  25. # logging timezone
  26. # logging sequence-id
  27. # logging origin-id
  28. # logging fraction of a second
  29. #
  30. #
  31. # <pri>(sequence: )?(origin: )?(timestamp? timezone?: )?%msg
  32.  
  33. #<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console
  34. #<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
  35. #<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console
  36. #<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
  37.  
  38. #
  39. # parses a cisco timestamp with explicit date-parser
  40. # It ignores msec and year information
  41. #
  42. block parser cisco-timestamp-parser(template()) {
  43.     channel {
  44.         rewrite {
  45.             set("`template`" value('1'));
  46.         };
  47.  
  48.         if {
  49.             # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC"
  50.             # NOTE: drops msecs and timezone
  51.             filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); };
  52.             parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); };
  53.         } elif {
  54.             # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411"
  55.             # NOTE: drops msecs and timezone
  56.             filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  57.             parser { date-parser(format('%b %d %H:%M:%S') template("$1")); };
  58.         } elif {
  59.             # timestamp with year information, example: "Apr 29 2017 13:58:40.411"
  60.             filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  61.             parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); };
  62.         } else {
  63.             # timestamp with year information in front, example: "2017 Apr 29 13:58:40"
  64.             filter { match('^[.*]?(\d{4} [A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  65.             parser { date-parser(format('%Y %b %d %H:%M:%S') template("$1")); };
  66.         };
  67.     };
  68. };
  69.  
  70. block parser cisco-triplet-parser(template() prefix()) {
  71.     channel {
  72.         if {
  73.             parser {
  74.                 csv-parser(delimiters(chars('-')) template(`template`)
  75.                            columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic')
  76.                            flags(drop-invalid));
  77.             };
  78.         } else {
  79.             parser {
  80.                 csv-parser(delimiters(chars('-')) template(`template`)
  81.                            columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic')
  82.                            flags(drop-invalid));
  83.             };
  84.             rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); };
  85.         };
  86.     };
  87. };
  88.  
  89. block parser cisco-parser(prefix(".cisco.")) {
  90.     channel {
  91.         parser {
  92.             # split msg and header right before the '%', Cisco messages may
  93.             # have a variable number of ': ' terminated values
  94.             csv-parser(delimiters(chars('') strings(': %'))
  95.                        columns('1', '2', '3') flags(greedy, drop-invalid));
  96.  
  97.             csv-parser(delimiters(chars(':')) template("$2") columns('3'));
  98.             cisco-triplet-parser(template("$3") prefix(`prefix`));
  99.         };
  100.         rewrite {
  101.             set('%$2', value("MSG"));
  102.  
  103.             # drop "<pri>seqno: " if present
  104.             subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1'));
  105.  
  106.         };
  107.  
  108.         if {
  109.             parser { cisco-timestamp-parser(template("$1")); };
  110.         } elif {
  111.             filter { match("^(?'HOST'[^:]+): (.*)" value('1') flags(store-matches) type(pcre)); };
  112.             parser { cisco-timestamp-parser(template("$2")); };
  113.         } elif {
  114.             filter { match("^(?'HOST'[^:]+)$" value('1') flags(store-matches) type(pcre)); };
  115.         } else {
  116.             filter { match("^$" value('1') flags(store-matches) type(pcre)); };
  117.         };
  118.     };
  119. };
  120.  
  121. application cisco[syslog-raw] {
  122.         parser { cisco-parser(); };
  123. };
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top