Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-2412

Syslog Differences (Cisco IOS-XR between Rsyslog and Syslog-ng)

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • None
    • Professional Edition
    • Web Interface
    • * rsyslogd 8.16.0
       * Cisco IOS-XR 6.1.4
       * Observium 17.8.8725 (24th August 2017)

    Description

      During the integration of syslog support into Observium with Rsyslog daemon we found out that Rsyslog is removing the "%" character from the string that Cisco IOS-XR is parsing to the daemon.

      Original String (captured with tcpdump):
      		 
      5963: RP/0/RSP0/CPU0:Sep  1 09:10:03.957 : config[65938]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'dklimek'. Use 'show configuration commit changes 1000000153' to view the changes.
      		 
       
      		 
      Value of $entry (msg) that is parsed to syslog.php from rsyslog daemon:
      		 
      RP/0/RSP0/CPU0:Sep  1 09:10:03.957 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'dklimek'. Use 'show configuration commit changes 1000000153'to  view the changes. ||5963:

      This will result observium unable to fetch the content/msg of the syslog entry because in includes/syslog.inc.php there is following explode match used:

      Some debug information:

      root@observium:/opt/observium# echo "123.123.123.123||21||6||6||test:||2017-09-01 09:50:37|| RP/0/RSP0/CPU0:Sep  1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commi t changes 1000000158 to view the changes. ||test" | /opt/observium/syslog.php
      		 
      Array
      		 
      (
      		 
          [host] => 123.123.123.123
      		 
          [facility] => 21
      		 
          [priority] => 6
      		 
          [level] => 6
      		 
          [tag] => test:
      		 
          [timestamp] => 2017-09-01 09:50:37
      		 
          [msg] =>
      		 
          [program] =>
      		 
          [msg_orig] =>  RP/0/RSP0/CPU0:Sep  1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes.
      		 
          [device_id] => 550
      		 
      )


          else if ($os == 'iosxr')
      		 
          {
      		 
            //1.1.1.1      ||23||5||5||920:  ||2014-11-26 17:29:48 ||RP/0/RSP0/CPU0:Nov 26 16:29:48.161 : bgp[1046]: %ROUTING-BGP-5-ADJCHANGE : neighbor 1.1.1.2 Up (VRF: default) (AS: 11111) ||920
      		 
            //1.1.1.2||23||6||6||253:||2014-11-26 17:30:21||RP/0/RSP0/CPU0:Nov 26 16:30:21.710 : SSHD_[65755]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection ||253
      		 
            //1.1.1.3||local0||err||err||83||2015-01-14 07:29:45||oly-er-01 LC/0/0/CPU0:Jan 14 07:29:45.556 CET: pfilter_ea[301]: %L2-PFILTER_EA-3-ERR_IM_CAPS : uidb set  acl failed on interface Bundle-Ether1.1501.ip43696. (null) ||94795
      		 
            list(, $entry['msg']) = explode(': %', $entry['msg'], 2);
      		 
            list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 2);
      		 
            print_r($entry);
      		 
          }
      		 
       
      		 
      -list(, $entry['msg']) = explode(': %', $entry['msg'], 2);
      		 
      +list(, $entry['msg']) = explode(': ', $entry['msg'], 2);

      After changing the explode match to ': ' it is working fine with rsyslog-daemon. We were not able to test ist against syslog-ng, maybe someone can do it and if syslog-ng threats it different we should think about an idea to how to difference between syslog-ng and rsyslog in Observium get a successfull match of both strings.

      Debug Information after modification:

      root@observium:/opt/observium# echo "123.123.123.123||21||6||6||test:||2017-09-01 09:50:37|| RP/0/RSP0/CPU0:Sep  1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes. ||test" | /opt/observium/syslog.php
      		 
      Array
      		 
      (
      		 
          [host] => 123.123.123.123
      		 
          [facility] => 21
      		 
          [priority] => 6
      		 
          [level] => 6
      		 
          [tag] => test:
      		 
          [timestamp] => 2017-09-01 09:50:37
      		 
          [msg] => Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes.
      		 
          [program] => config[65938]: MGBL-CONFIG-6-DB_COMMIT
      		 
          [msg_orig] =>  RP/0/RSP0/CPU0:Sep  1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes.
      		 
          [device_id] => 550
      		 
      )

      PS: Yes I know the strings does not contain the same timestamps or commit id changes...

      Attachments

        Activity

          [OBS-2412] Syslog Differences (Cisco IOS-XR between Rsyslog and Syslog-ng)
          adama Adam Armstrong added a comment -

          This is changed in my local install and will be committed in the next drop.

          I'm doing it slightly differently to you, and splitting out the module and process into unused variables which may be usable in future.

          You might need to delete syslog.inc.php when you svn up.

          adama Adam Armstrong added a comment - This is changed in my local install and will be committed in the next drop. I'm doing it slightly differently to you, and splitting out the module and process into unused variables which may be usable in future. You might need to delete syslog.inc.php when you svn up.

          People

            adama Adam Armstrong
            dklimek Denis Klimek
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: