Details
Minor Description
During the integration of syslog support into Observium with Rsyslog daemon we found out that Rsyslog is removing the "%" character from the string that Cisco IOS-XR is parsing to the daemon.
Original String (captured with tcpdump):
|
5963: RP/0/RSP0/CPU0:Sep 1 09:10:03.957 : config[65938]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'dklimek'. Use 'show configuration commit changes 1000000153' to view the changes. |
|
|
Value of $entry (msg) that is parsed to syslog.php from rsyslog daemon:
|
RP/0/RSP0/CPU0:Sep 1 09:10:03.957 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'dklimek'. Use 'show configuration commit changes 1000000153'to view the changes. ||5963: |
This will result observium unable to fetch the content/msg of the syslog entry because in includes/syslog.inc.php there is following explode match used:
Some debug information:
root@observium:/opt/observium# echo "123.123.123.123||21||6||6||test:||2017-09-01 09:50:37|| RP/0/RSP0/CPU0:Sep 1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commi t changes 1000000158 to view the changes. ||test" | /opt/observium/syslog.php |
Array
|
(
|
[host] => 123.123.123.123 |
[facility] => 21 |
[priority] => 6 |
[level] => 6 |
[tag] => test:
|
[timestamp] => 2017-09-01 09:50:37 |
[msg] =>
|
[program] =>
|
[msg_orig] => RP/0/RSP0/CPU0:Sep 1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes. |
[device_id] => 550 |
)
|
else if ($os == 'iosxr') |
{
|
//1.1.1.1 ||23||5||5||920: ||2014-11-26 17:29:48 ||RP/0/RSP0/CPU0:Nov 26 16:29:48.161 : bgp[1046]: %ROUTING-BGP-5-ADJCHANGE : neighbor 1.1.1.2 Up (VRF: default) (AS: 11111) ||920 |
//1.1.1.2||23||6||6||253:||2014-11-26 17:30:21||RP/0/RSP0/CPU0:Nov 26 16:30:21.710 : SSHD_[65755]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection ||253 |
//1.1.1.3||local0||err||err||83||2015-01-14 07:29:45||oly-er-01 LC/0/0/CPU0:Jan 14 07:29:45.556 CET: pfilter_ea[301]: %L2-PFILTER_EA-3-ERR_IM_CAPS : uidb set acl failed on interface Bundle-Ether1.1501.ip43696. (null) ||94795 |
list(, $entry['msg']) = explode(': %', $entry['msg'], 2); |
list($entry['program'], $entry['msg']) = explode(' : ', $entry['msg'], 2); |
print_r($entry);
|
}
|
|
|
-list(, $entry['msg']) = explode(': %', $entry['msg'], 2); |
+list(, $entry['msg']) = explode(': ', $entry['msg'], 2); |
|
After changing the explode match to ': ' it is working fine with rsyslog-daemon. We were not able to test ist against syslog-ng, maybe someone can do it and if syslog-ng threats it different we should think about an idea to how to difference between syslog-ng and rsyslog in Observium get a successfull match of both strings.
Debug Information after modification:
root@observium:/opt/observium# echo "123.123.123.123||21||6||6||test:||2017-09-01 09:50:37|| RP/0/RSP0/CPU0:Sep 1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes. ||test" | /opt/observium/syslog.php |
Array
|
(
|
[host] => 123.123.123.123 |
[facility] => 21 |
[priority] => 6 |
[level] => 6 |
[tag] => test:
|
[timestamp] => 2017-09-01 09:50:37 |
[msg] => Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes. |
[program] => config[65938]: MGBL-CONFIG-6-DB_COMMIT |
[msg_orig] => RP/0/RSP0/CPU0:Sep 1 09:50:37.589 : config[65938]: MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user dklimek. Use show configuration commit changes 1000000158 to view the changes. |
[device_id] => 550 |
)
|
PS: Yes I know the strings does not contain the same timestamps or commit id changes...