Generic Syslog Receiver – Received Messages not stored

Solved1.32K viewscatalyst syslog
1
0 Comments

Hi Dojo

We have a Cisco Catalyst that is sending syslog messages to DataMiner (10.0.0.0-9589-CU7).

I can see the messages in Stream viewer, but the Received Raw Messages Table is still empty.
I configured the IP address of the switch as accepted IP address in the Edit dialog of the element and as IP Filter in the General settings.

Do I have to configure the structure (layout) of the syslog message?
Is there any documentation of the connector?
Any ideas?

Thanks Dojo

Joerg Stumpf [DevOps Advocate] Selected answer as best 22nd March 2024

3 Answers

1
147 0 Comments

Thanks a lot Ive!

Selecting UDP instead of TCP solved the issue !!!

Joerg Stumpf [DevOps Advocate] Selected answer as best 22nd March 2024
0
147 1 Comment

Hi Ive

I installed the quite old tool Visual Syslog and I can see, that the messages from the catalyst switch.

So it seems that a priority is submitted by the Catalyst switch.

Ive Herreman [SLC] [DevOps Enabler] Posted new comment 22nd March 2024
Ive Herreman [SLC] [DevOps Enabler] commented

That’s interesting.
I’ve sent you an email to initiate a more in-depth investigation.
0
13.52K 6 Comments

Hi Joerg,

Can you try to use the keyword 'any' in the IP field when you edit the element?

I found the following on the driver help in the catalog:

Ive Herreman [SLC] [DevOps Enabler] Posted new comment 20th March 2024
Joerg Stumpf [DevOps Advocate] commented

Dear Ive

Thanks for that hint but IP address is already set to any.

As posted, I can see the syslog messages from the device in DataMiner Stream Viewer
Ive Herreman [SLC] [DevOps Enabler] commented

Thanks for the info, Joerg.

I’ve just tested the latest generic syslog driver and can confirm no other configurations are required.
What driver version are you using?
Can you see anything in the element logging?
Joerg Stumpf [DevOps Advocate] commented

Hi Ive

I’m using 1.0.3.16.

Yes I see following corresponding messages in the element log:

2024/03/19 11:40:44.319|SLProtocol – 17980 – Cisco-Syslog|12632||DBG|1|-> Received device initiated data
2024/03/19 11:40:44.319|SLProtocol – 17980 – Cisco-Syslog|12632|CParameter::MatchParameter|DBG|2|-> messageList new data ()
000000 1600000000 0000003C31 38393E3730 303A204D61 ……..700: Ma
000020 7220313920 31313A3430 3A34333A20 255345435F r 19 11:40:43: %SEC_
000040 4C4F47494E 2D352D4C4F 47494E5F53 5543434553 LOGIN-5-LOGIN_SUCCES
000060 533A204C6F 67696E2053 7563636573 73205B7573 S: Login Success [us
000080 65723A206E 74745D205B 536F757263 653A203139 er: ntt] [Source: 19
000100 322E313638 2E35302E31 31335D205B 6C6F63616C 2.168.50.113] [local
000120 706F72743A 2032325D20 6174203131 3A34303A34 port: 22] at 11:40:4
000140 3320434554 2054756520 4D61722031 3920323032 3 CET Tue Mar 19 202
000160 340A 4.
2024/03/19 11:40:44.320|SLProtocol – 17980 – Cisco-Syslog|12632|ParseIncommingData|DBG|2|-> Response Get Messages stored (0)
000000 65B3C0A832 5116000000 000000003C 3138393E37 e…2Q……..7
000020 30303A204D 6172203139 2031313A34 303A34333A 00: Mar 19 11:40:43:
000040 2025534543 5F4C4F4749 4E2D352D4C 4F47494E5F %SEC_LOGIN-5-LOGIN_
000060 5355434345 53533A204C 6F67696E20 5375636365 SUCCESS: Login Succe
000080 7373205B75 7365723A20 6E74745D20 5B536F7572 ss [user: ntt] [Sour
000100 63653A2031 39322E3136 382E35302E 3131335D20 ce: 192.168.50.113]
000120 5B6C6F6361 6C706F7274 3A2032325D 2061742031 [localport: 22] at 1
000140 313A34303A 3433204345 5420547565 204D617220 1:40:43 CET Tue Mar
000160 3139203230 32340A 19 2024.
Ive Herreman [SLC] [DevOps Enabler] commented

Hi Joerg,

I believe the issue might be linked to the syslog message format.
You are using the new format (RFC5424), while the driver seems to expect the message in the “old” format (RFC3164).

Can you verify this is the cause, by temporarily changing the syslog format back to the old format?
Joerg Stumpf [DevOps Advocate] commented

Hi Ive

I saw, that I can change the format to rfc5424, but this was not active.
So I assume the the default is rfc3164.

I changed it to rfc5424 to see what happens in DataMiner and I can confirm that the structure is a little bit different, but the messages are still not stored in the element.

2024/03/19 16:56:10.299|SLProtocol – 17980 – Cisco-Syslog|12632|CParameter::MatchParameter|DBG|2|-> messageList new data ()
000000 1D00000000 0000003C31 38393E3120 323032342D ……..1 2024-
000020 30332D3139 5431353A35 363A30392E 3138335A20 03-19T15:56:09.183Z
000040 2D202D202D 202D202D20 424F4D2553 45435F4C4F – – – – – BOM%SEC_LO
000060 47494E2D35 2D4C4F4749 4E5F535543 434553533A GIN-5-LOGIN_SUCCESS:
000080 204C6F6769 6E20537563 6365737320 5B75736572 Login Success [user
000100 3A206E7474 5D205B536F 757263653A 203139322E : ntt] [Source: 192.
000120 3136382E35 302E313133 5D205B6C6F 63616C706F 168.50.113] [localpo
000140 72743A2032 325D206174 2031363A35 363A303920 rt: 22] at 16:56:09
000160 4345542054 7565204D61 7220313920 323032340A CET Tue Mar 19 2024.
2024/03/19 16:56:10.299|SLProtocol – 17980 – Cisco-Syslog|12632|ParseIncommingData|DBG|2|-> Response Get Messages stored (0)
000000 65B3C0A832 511D000000 000000003C 3138393E31 e…2Q……..1
000020 2032303234 2D30332D31 395431353A 35363A3039 2024-03-19T15:56:09
000040 2E3138335A 202D202D20 2D202D202D 20424F4D25 .183Z – – – – – BOM%
000060 5345435F4C 4F47494E2D 352D4C4F47 494E5F5355 SEC_LOGIN-5-LOGIN_SU
000080 4343455353 3A204C6F67 696E205375 6363657373 CCESS: Login Success
000100 205B757365 723A206E74 745D205B53 6F75726365 [user: ntt] [Source
000120 3A20313932 2E3136382E 35302E3131 335D205B6C : 192.168.50.113] [l
000140 6F63616C70 6F72743A20 32325D2061 742031363A ocalport: 22] at 16:
000160 35363A3039 2043455420 547565204D 6172203139 56:09 CET Tue Mar 19
000180 2032303234 0A 2024.

I appreciate your support.
Show 1 more comments