Guest User

cisco plugin.conf

a guest
Feb 28th, 2019
140
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #############################################################################
  2. # Copyright (c) 2017 Balabit
  3. #
  4. # This program is free software; you can redistribute it and/or modify it
  5. # under the terms of the GNU General Public License version 2 as published
  6. # by the Free Software Foundation, or (at your option) any later version.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # You should have received a copy of the GNU General Public License
  14. # along with this program; if not, write to the Free Software
  15. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  16. #
  17. # As an additional exemption you are allowed to compile & link against the
  18. # OpenSSL libraries as published by the OpenSSL project. See the file
  19. # COPYING for details.
  20. #
  21. #############################################################################
  22.  
  23. #
  24. # logging timestamps
  25. # logging timezone
  26. # logging sequence-id
  27. # logging origin-id
  28. # logging fraction of a second
  29. #
  30. #
  31. # <pri>(sequence: )?(origin: )?(timestamp? timezone?: )?%msg
  32.  
  33. #<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console
  34. #<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
  35. #<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console
  36. #<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
  37.  
  38. #
  39. # parses a cisco timestamp with explicit date-parser
  40. # It ignores msec and year information
  41. #
  42. block parser cisco-timestamp-parser(template()) {
  43. channel {
  44. rewrite {
  45. set("`template`" value('1'));
  46. };
  47.  
  48. if {
  49. # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC"
  50. # NOTE: drops msecs and timezone
  51. filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); };
  52. parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); };
  53. } elif {
  54. # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411"
  55. # NOTE: drops msecs and timezone
  56. filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  57. parser { date-parser(format('%b %d %H:%M:%S') template("$1")); };
  58. } elif {
  59. # timestamp with year information, example: "Apr 29 2017 13:58:40.411"
  60. filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  61. parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); };
  62. } else {
  63. # timestamp with year information in front, example: "2017 Apr 29 13:58:40"
  64. filter { match('^[.*]?(\d{4} [A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
  65. parser { date-parser(format('%Y %b %d %H:%M:%S') template("$1")); };
  66. };
  67. };
  68. };
  69.  
  70. block parser cisco-triplet-parser(template() prefix()) {
  71. channel {
  72. if {
  73. parser {
  74. csv-parser(delimiters(chars('-')) template(`template`)
  75. columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic')
  76. flags(drop-invalid));
  77. };
  78. } else {
  79. parser {
  80. csv-parser(delimiters(chars('-')) template(`template`)
  81. columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic')
  82. flags(drop-invalid));
  83. };
  84. rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); };
  85. };
  86. };
  87. };
  88.  
  89. block parser cisco-parser(prefix(".cisco.")) {
  90. channel {
  91. parser {
  92. # split msg and header right before the '%', Cisco messages may
  93. # have a variable number of ': ' terminated values
  94. csv-parser(delimiters(chars('') strings(': %'))
  95. columns('1', '2', '3') flags(greedy, drop-invalid));
  96.  
  97. csv-parser(delimiters(chars(':')) template("$2") columns('3'));
  98. cisco-triplet-parser(template("$3") prefix(`prefix`));
  99. };
  100. rewrite {
  101. set('%$2', value("MSG"));
  102.  
  103. # drop "<pri>seqno: " if present
  104. subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1'));
  105.  
  106. };
  107.  
  108. if {
  109. parser { cisco-timestamp-parser(template("$1")); };
  110. } elif {
  111. filter { match("^(?'HOST'[^:]+): (.*)" value('1') flags(store-matches) type(pcre)); };
  112. parser { cisco-timestamp-parser(template("$2")); };
  113. } elif {
  114. filter { match("^(?'HOST'[^:]+)$" value('1') flags(store-matches) type(pcre)); };
  115. } else {
  116. filter { match("^$" value('1') flags(store-matches) type(pcre)); };
  117. };
  118. };
  119. };
  120.  
  121. application cisco[syslog-raw] {
  122. parser { cisco-parser(); };
  123. };
RAW Paste Data