Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-523

Can we have netscaler syslog parsed by syslog.php?

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • None
    • None
    • Web Interface

    Description

      So , Cisco devices get syslogged, but netscaler, they are not.

      It seems like it's related to how the netscaler are doing their syslog.

      This is a cisco log entry which gets parsed:

      Oct 3 23:58:55 10.32.10.18 417597: r1.ix5: Oct 3 23:58:54.336 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.32.10.20 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

      This is an entry from a netscaler:

      Oct 3 23:58:39 10.70.66.249 10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success"

      So, it seems they have the timestamps & device name switched.

      Should be easy to fix, right?

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. OBS-3614 syslog messages appear truncated for Citrix ADC

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            [OBS-523] Can we have netscaler syslog parsed by syslog.php?
            gp.gt.network@adevinta.com ADV added a comment -

            WAS

            70.10.99.24||local0||info||info||86||2022-11-09 17:18:17||17:57:38 GMT lb1a_xx_yyy 0-PPE-5 : default CLI CMD_EXECUTED 765782 0 :  User yoleri - Remote_ip 1.1.1.1 - Command \"show ns runningConfig\" - Status \"Success\"||11/09/2022

            IS

            lb1a_xx_yyy||local0||info||info||86||2022-11-09 18:48:15||0-PPE-4 : default CLI CMD_EXECUTED 752411 0 :  User yoleri - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"||CLI

            gp.gt.network@adevinta.com ADV added a comment - WAS 70.10.99.24||local0||info||info||86||2022-11-09 17:18:17||17:57:38 GMT lb1a_xx_yyy 0-PPE-5 : default CLI CMD_EXECUTED 765782 0 : User yoleri - Remote_ip 1.1.1.1 - Command \"show ns runningConfig\" - Status \"Success\"||11/09/2022 IS lb1a_xx_yyy||local0||info||info||86||2022-11-09 18:48:15||0-PPE-4 : default CLI CMD_EXECUTED 752411 0 : User yoleri - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"||CLI
            gp.gt.network@adevinta.com ADV added a comment -

            Hi Mike, just as an FYI.

            I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly.

            So, the data passed to Observium was not OK

            With kind regards,

            Yoleri

            gp.gt.network@adevinta.com ADV added a comment - Hi Mike, just as an FYI. I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly. So, the data passed to Observium was not OK With kind regards, Yoleri
            bot Observium Bot made changes -
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            landy Mike Stupalov made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
            landy Mike Stupalov added a comment -

            I not fully sure, but should be improved now in r10996.

            landy Mike Stupalov added a comment - I not fully sure, but should be improved now in r10996.
            landy Mike Stupalov made changes -
            Status Original: Pending Response [ 10000 ] New: In Progress [ 3 ]
            landy Mike Stupalov made changes -
            Link New: This issue relates to OBS-3614 [ OBS-3614 ]
            landy Mike Stupalov made changes -
            Assignee Original: Adam Armstrong [ adama ] New: Mike Stupalov [ landy ]
            landy Mike Stupalov made changes -
            Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]
            Labels New: syslog
            Status Original: Open [ 1 ] New: Pending Response [ 10000 ]
            landy Mike Stupalov added a comment - - edited

            maartenmoerman yah, I need more syslog examples for correct test this parsing.

            Probably this is should work, but I think currently incorrect parsed program and tag..

            Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.

            landy Mike Stupalov added a comment - - edited maartenmoerman yah, I need more syslog examples for correct test this parsing. Probably this is should work, but I think currently incorrect parsed program and tag.. Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.

            People

              landy Mike Stupalov
              maartenmoerman Maarten Moerman
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: