Hi all,
i was using a Raw plain text UDP input for our cisco switches. Since 2.2.3 i’m trying to use a Syslog UDP input but the source name of our cisco switches always have a “:” at the end…
Any explanations ? In raw plaintext the source name was fine
Thanks !
Could you provide some samples of the log messages, ideally the raw message as it is transmitted over the network?
something like this ? (full_message) :
<187>: cs4500xazerty: [syslog@9 s_id =“cs4500xazerty:12514”]: May 19 14:20:43.691: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Te1/15. A packet filter action has been applied on the interface.
Yes, exactly. Thanks!
This looks like a very strange syslog format. It’s neither compatible with RFC 3164, nor with RFC 5424. It includes a structured data element but it doesn’t contain a syslog version.
And the colon after the PRI field looks like the client omitted the (proprietary) Cisco sequence number.
As things are, I would recommend staying with the Raw/Plaintext input or use the full_message field created by the Syslog input and use extractors or pipeline rules to extract/override the desired information from these messages.
Do you have an example of cisco configuration ? We have hundreds of cisco
switches and i really would like to use a syslog udp input
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
