############################################################################# # Copyright (c) 2017 Balabit # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 as published # by the Free Software Foundation, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # As an additional exemption you are allowed to compile & link against the # OpenSSL libraries as published by the OpenSSL project. See the file # COPYING for details. # ############################################################################# # # logging timestamps # logging timezone # logging sequence-id # logging origin-id # logging fraction of a second # # # (sequence: )?(origin: )?(timestamp? timezone?: )?%msg #<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console #<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated #<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console #<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. # # parses a cisco timestamp with explicit date-parser # It ignores msec and year information # block parser cisco-timestamp-parser(template()) { channel { rewrite { set("`template`" value('1')); }; if { # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC" # NOTE: drops msecs and timezone filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); }; parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); }; } elif { # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411" # NOTE: drops msecs and timezone filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); }; parser { date-parser(format('%b %d %H:%M:%S') template("$1")); }; } else { # timestamp with year information, example: "Apr 29 2017 13:58:40.411" filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); }; parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); }; }; }; }; block parser cisco-triplet-parser(template() prefix()) { channel { if { parser { csv-parser(delimiters(chars('-')) template(`template`) columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic') flags(drop-invalid)); }; } else { parser { csv-parser(delimiters(chars('-')) template(`template`) columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic') flags(drop-invalid)); }; rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); }; }; }; }; block parser cisco-parser(prefix(".cisco.")) { channel { parser { # split msg and header right before the '%', Cisco messages may # have a variable number of ': ' terminated values csv-parser(delimiters(chars('') strings(': %')) columns('1', '2', '3') flags(greedy, drop-invalid)); csv-parser(delimiters(chars(':')) template("$2") columns('3')); cisco-triplet-parser(template("$3") prefix(`prefix`)); }; rewrite { set('%$2', value("MSG")); # drop "seqno: " if present subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1')); }; if { parser { cisco-timestamp-parser(template("$1")); }; } elif { filter { match("^(?'HOST'[^:]+): (.*)" value('1') flags(store-matches) type(pcre)); }; parser { cisco-timestamp-parser(template("$2")); }; } elif { filter { match("^(?'HOST'[^:]+)$" value('1') flags(store-matches) type(pcre)); }; } else { filter { match("^$" value('1') flags(store-matches) type(pcre)); }; }; }; }; application cisco[syslog-raw] { parser { cisco-parser(); }; };