We do this at Bard, without any extra modules. I changed the format for
output to:
template(name="myASAFormat"
type="string"
string="%TIMESTAMP:::date-rfc3339% %fromhost-ip%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
Then in the action section for handling incoming Cisco logs I specified:
template="myASAFormat"
We don't get the hostname this way, but that isn't an issue for us.
-Sean
Sean Maguire
System Administrator
Bard College I.T.
On Tue, Mar 19, 2024 at 9:31 AM Roy White via rsyslog <
rsyslog@lists.adiscon.com> wrote:
> Good Morning,
>
> I am hopeful this mailing list is still monitored, and that this is not
> falling onto deaf ears. I am currently trying to implement an Rsyslog
> Remote Server to consolidate the logs of all of our Cisco switches. The
> server is collecting the data, however because of the format of the Cisco
> IOS logs, it is not properly parsing and recognizing the host and source of
> the remote logs. Rsyslog is prepending a its own IP address, and timestamp,
> and making the data difficult more difficult to read. I have dug through
> the documentation and found that there is a module called pmciscoios that
> is supposed to aide in fixing this issue. Unfortunately, I am currently
> running rsyslogd 8.2102.0-7.el8_6.1 (aka 2021.02), on RHEL 8.6 and the
> pmciscoios module is missing. Through further research I was able to find
> the pmciscoios.c file through GITHUB but was unable to figure out how to
> convert it to a .so format in order to add it to /lib64/rsyslog and have it
> read properly. Has anyone dealt with this is
> sue previously, and do you have any suggestions for how I might be able
> to fix this? I would be very grateful for any assistance or feedback. Thank
> you in advance!
>
> Very Respectfully,
>
>
> Roy White, MBA
>
> SysOps Project Manager, Information Technology
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
