jalogisch
commented
6 years ago what you should get out of Cisco devices is:
<189>91: *Mar 15 2018 21:48:41.663 UTC: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.200.1)With Cisco ASA that needs the following configuration
clock timezone UTC 0 0
no clock summer-time
ntp server 0.0.0.0 prefer source management
logging timestamp
logging trap 6
logging enable
logging host management 1.2.3.4 tcp/8514Classic IOS needs
clock timezone UTC 0 0
no clock summer-time
ntp server 1.2.3.4 prefer
ntp update-calendar
service timestamps log datetime msec show-timezone localtime
logging host 1.2.3.4 transport tcp port 8514
logging origin-id hostname
logging trap 6And NEXUS can only send via UDP and needs the following configuration
clock timezone UTC 0 0
no clock summer-time
ntp server 1.3.4.5 prefer use-vrf management
logging timestamp milliseconds # even microseconds possible
logging server 1.2.3.4 port 8514 use-vrf management
logging source-interface mgmt 0
logging level all 6
logging origin-id hostname Our supported "Autoparse" should only work with that - and not try to cover all other possible combinations. If that is implemented, it needs to be covered in the documentation.
AFAIK the following configurations are available - the first line is the configuration string on Ciscos IOS the second the logline that is produced with that kind of configuration:
Cisco IOS
The second number after the Syslog Priority is a sequence number that enables you get the correct order of events even without milliseconds.
I'm not sure if we should just document what is working or if we need to adjust the Syslog Input to fit as many options as possible.
Context
nearly all users with Cisco hardware have other settings but think that they send valid syslog. While valid RFC3164 would be:
The Cisco delivered messages are close to that but not really what we think will be delivered. The current
magicthat parses the Syslog Input is not always correct so the result for the user looks unpredictable.Your Environment