[Filebeat] Syslog parse error with Cisco Switch logs

[andrewkroh]

I am trying to ingest syslog data from a Cisco 3750 switch and I get an error from Filebeat.

Filebeat error:

• {"level":"error","timestamp":"2019-02-08T18:55:32.305Z","logger":"syslog","caller":"syslog/input.go:131","message":"can't parse event as syslog rfc3164","message":"<190>589265: Feb 8 18:55:31.306: %SEC-6-IPACCESSLOGP: list 177 denied udp 10.100.7.196(53640) -> 10.100.7.255(15600), 1 packet"}

PCAP of Syslog Traffic:

• cisco-3750-syslog.pcap.txt

Version:

• filebeat version 7.0.0 (arm), libbeat 7.0.0 [3dd1f50 built 2019-02-06 19:37:38 +0000 UTC]

Filebeat Config:

  filebeat.inputs:
    - type: syslog
      protocol.udp:
        host: ':9002'

Cisco 3750 Config:

• logging host 10.100.5.130 transport udp port 9002

[andrewkroh]

This document states that the non-compliant part of the message is a sequence number. It also suggests how to disable the sequence number, but for my version of IOS or hardware this had no effect.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swlog.html#pgfId-1030180

seq no:timestamp: %facility-severity-MNEMONIC:description

[ph]

I added support for the sequence number but I am running into another issue concerning the host format still need some work on my side.

[emes]

@ph would you consider making the colon after the sequence number optional? Newer/non-Catalyst Cisco switches do not include the colon and you cannot currently disable sequence numbers.

With:

<190>589265: Feb 8 18:55:31.306: %SEC-11-IPACCESSLOGP: list 177 denied udp 10.0.0.1(53640) -> 10.100.0.1(15600), 1 packet

Without:

<190>1 2019-07-17T19:42:13-05:00 newswitch AAA - CONNECT - New http connection for user ms, source 192.168.30.51 destination 192.168.10.4 ACCEPTED

Would be great appreciated!

[ph]

@emes Yes, can you create an issue for that? sorry for the delay.