[OBS-523] Can we have netscaler syslog parsed by syslog.php? - Observium

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Component/s: Web Interface
Labels:
- syslog

Description

So , Cisco devices get syslogged, but netscaler, they are not.

It seems like it's related to how the netscaler are doing their syslog.

This is a cisco log entry which gets parsed:

Oct 3 23:58:55 10.32.10.18 417597: r1.ix5: Oct 3 23:58:54.336 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.32.10.20 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

This is an entry from a netscaler:

Oct 3 23:58:39 10.70.66.249 10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success"

So, it seems they have the timestamps & device name switched.

Should be easy to fix, right?

Attachments

Issue Links

relates to

OBS-3614 syslog messages appear truncated for Citrix ADC

Closed

Activity

[OBS-523] Can we have netscaler syslog parsed by syslog.php?

ADV added a comment - 2022/11/09 08:31 PM

WAS

70.10.99.24||local0||info||info||86||2022-11-09 17:18:17||17:57:38 GMT lb1a_xx_yyy 0-PPE-5 : default CLI CMD_EXECUTED 765782 0 :  User yoleri - Remote_ip 1.1.1.1 - Command \"show ns runningConfig\" - Status \"Success\"||11/09/2022

lb1a_xx_yyy||local0||info||info||86||2022-11-09 18:48:15||0-PPE-4 : default CLI CMD_EXECUTED 752411 0 :  User yoleri - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"||CLI

ADV added a comment - 2022/11/09 08:31 PM WAS 70.10.99.24||local0||info||info||86||2022-11-09 17:18:17||17:57:38 GMT lb1a_xx_yyy 0-PPE-5 : default CLI CMD_EXECUTED 765782 0 : User yoleri - Remote_ip 1.1.1.1 - Command \"show ns runningConfig\" - Status \"Success\"||11/09/2022 IS lb1a_xx_yyy||local0||info||info||86||2022-11-09 18:48:15||0-PPE-4 : default CLI CMD_EXECUTED 752411 0 : User yoleri - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"||CLI

ADV added a comment - 2022/11/09 08:26 PM

Hi Mike, just as an FYI.

I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly.

So, the data passed to Observium was not OK

With kind regards,

Yoleri

ADV added a comment - 2022/11/09 08:26 PM Hi Mike, just as an FYI. I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly. So, the data passed to Observium was not OK With kind regards, Yoleri

Mike Stupalov added a comment - 2021/02/10 12:14 AM

I not fully sure, but should be improved now in r10996.

Mike Stupalov added a comment - 2021/02/10 12:14 AM I not fully sure, but should be improved now in r10996.

Mike Stupalov added a comment - 2018/03/27 06:05 PM - edited

maartenmoerman yah, I need more syslog examples for correct test this parsing.

Probably this is should work, but I think currently incorrect parsed program and tag..

Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.

Mike Stupalov added a comment - 2018/03/27 06:05 PM - edited maartenmoerman yah, I need more syslog examples for correct test this parsing. Probably this is should work, but I think currently incorrect parsed program and tag.. Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.

Adam Armstrong added a comment - 2018/03/27 07:32 AM

Does this now work?

Adam Armstrong added a comment - 2018/03/27 07:32 AM Does this now work?

Maarten Moerman added a comment - 2015/10/25 03:40 PM

I think it's related to the fact that the sysname is different then the name that observium uses, so it cannot match.

Problem with our Netscalers is, since we run them in HA, the naming is different, we monitor the device on: dk-lb001, but there's actually 2 devices: dk-lb001a & dk-lb001b, so depending on which one is active, it shows a different name in syslog.

Would it be possible to do an overwrite for this in the settings page?

Maarten Moerman added a comment - 2015/10/25 03:40 PM I think it's related to the fact that the sysname is different then the name that observium uses, so it cannot match. Problem with our Netscalers is, since we run them in HA, the naming is different, we monitor the device on: dk-lb001, but there's actually 2 devices: dk-lb001a & dk-lb001b, so depending on which one is active, it shows a different name in syslog. Would it be possible to do an overwrite for this in the settings page?

Mike Stupalov added a comment - 2015/01/14 07:09 AM

This issue actual?
I see that should fixed, but perhaps not entirely correct.

Mike Stupalov added a comment - 2015/01/14 07:09 AM This issue actual? I see that should fixed, but perhaps not entirely correct.

People

Assignee:: Mike Stupalov

Reporter:: Maarten Moerman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2013/10/04 10:05 AM

Updated:: 2022/11/09 08:31 PM

Resolved:: 2021/02/10 12:14 AM