Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #############################################################################
- # Copyright (c) 2017 Balabit
- #
- # This program is free software; you can redistribute it and/or modify it
- # under the terms of the GNU General Public License version 2 as published
- # by the Free Software Foundation, or (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- #
- # As an additional exemption you are allowed to compile & link against the
- # OpenSSL libraries as published by the OpenSSL project. See the file
- # COPYING for details.
- #
- #############################################################################
- #
- # logging timestamps
- # logging timezone
- # logging sequence-id
- # logging origin-id
- # logging fraction of a second
- #
- #
- # <pri>(sequence: )?(origin: )?(timestamp? timezone?: )?%msg
- #<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console
- #<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
- #<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console
- #<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
- #
- # parses a cisco timestamp with explicit date-parser
- # It ignores msec and year information
- #
- block parser cisco-timestamp-parser(template()) {
- channel {
- rewrite {
- set("`template`" value('1'));
- };
- if {
- # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC"
- # NOTE: drops msecs and timezone
- filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); };
- parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); };
- } elif {
- # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411"
- # NOTE: drops msecs and timezone
- filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
- parser { date-parser(format('%b %d %H:%M:%S') template("$1")); };
- } elif {
- # timestamp with year information, example: "Apr 29 2017 13:58:40.411"
- filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
- parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); };
- } else {
- # timestamp with year information in front, example: "2017 Apr 29 13:58:40"
- filter { match('^[.*]?(\d{4} [A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
- parser { date-parser(format('%Y %b %d %H:%M:%S') template("$1")); };
- };
- };
- };
- block parser cisco-triplet-parser(template() prefix()) {
- channel {
- if {
- parser {
- csv-parser(delimiters(chars('-')) template(`template`)
- columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic')
- flags(drop-invalid));
- };
- } else {
- parser {
- csv-parser(delimiters(chars('-')) template(`template`)
- columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic')
- flags(drop-invalid));
- };
- rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); };
- };
- };
- };
- block parser cisco-parser(prefix(".cisco.")) {
- channel {
- parser {
- # split msg and header right before the '%', Cisco messages may
- # have a variable number of ': ' terminated values
- csv-parser(delimiters(chars('') strings(': %'))
- columns('1', '2', '3') flags(greedy, drop-invalid));
- csv-parser(delimiters(chars(':')) template("$2") columns('3'));
- cisco-triplet-parser(template("$3") prefix(`prefix`));
- };
- rewrite {
- set('%$2', value("MSG"));
- # drop "<pri>seqno: " if present
- subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1'));
- };
- if {
- parser { cisco-timestamp-parser(template("$1")); };
- } elif {
- filter { match("^(?'HOST'[^:]+): (.*)" value('1') flags(store-matches) type(pcre)); };
- parser { cisco-timestamp-parser(template("$2")); };
- } elif {
- filter { match("^(?'HOST'[^:]+)$" value('1') flags(store-matches) type(pcre)); };
- } else {
- filter { match("^$" value('1') flags(store-matches) type(pcre)); };
- };
- };
- };
- application cisco[syslog-raw] {
- parser { cisco-parser(); };
- };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement