Hi, we have mixed ASR9K/IOS devices and this works for us:
#cat /etc/syslog-ng/conf.d/observium.conf
options { keep_hostname(1); };
source s_net { udp(flags(no-parse)); # udp();
};
destination d_observium { program("/opt/observium/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes)); };
log { source(s_net); destination(d_observium); };
I believe the rest of syslog-ng is as per default, the ASR config elements are:
service timestamps log datetime localtime msec show-timezone logging <ip> vrf <vrf> severity info
Hope that helps!
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Markus Klock Sent: 19 September 2014 06:37 To: Observium Network Observation System Subject: [Observium] syslog-ng implementation and Cisco ASR9K
Hey guys! I´m setting up syslog-ng implementation and it works great for all my Cisco IOS-devices, however most of the devices in my network is Cisco ASR9K-routers running IOS-XR and it seems syslog from them wont go in to Observium. I did a quick look in the syslog-messages from the ASR9Ks and it seems IOS-XR actually don't use its hostname as hostname but instead use its active routeprocessors name (wtf cisco?!) making the syslog messages look something like this:
RP/0/RSP0/CPU0:Nov 28 23:56:53.826 : config[65710]: %SYS-5-CONFIG_I : Configured from console by console
Now there is a command that let you add a "hostname prefix" to the syslog messages, which means that I can type my own custom string as hostname for syslog, sadly it still just adds it before the RPS-id making the messages like this:
router1 RP/0/RSP0/CPU0:router:Nov 28 23:56:53.826 : config[65710]: %SYS-5-CONFIG_I : Configured from console by console
This of course makes it impossible for Observium to match the syslogged hostname to a hostname in the database. I took a look in the observium syslog-code and if I understand it correctly, if it fails to match the hostname it does a fallback and tries if maybe the IP-address is used as hostname and try to match it against a host in the database? In that case maybe I could change the syslog-ng template that forwards the data to Observium to instead use source IP instead of hostname?
destination d_observium {
program("/opt/observium/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes));
I tried change $HOST to $HOST_FROM and $SOURCEIP but no luck so far. Am I even on the right track here? Could something like this work to make my idiotic ASR9Ks show up in the Observium syslog? Thanks in advance for any advice /Markus
Robert Williams Custodian Data Centre Email: Robert@CustodianDC.com http://www.CustodianDC.com