Maintenance is complete- We've moved from the saas.hpe.com domain to softwaregrp.com click to read more
As part of our journey to complete our separation work and our future integration with Micro Focus, we've now updated our domain for the community. This is an interim step, which will be followed by a series of future update / improvements: - Piloting Idea boards - Refreshing the entire UI. (more to come later) - and more
Network Automation Practitioners Forum
cancel

NA Syslog message format

Bitdog
Honored Contributor.

NA Syslog message format

When NA is configured to forward syslog messages what RFC specifiaction do they use 5424, 3164 or HPE?

 

 

“The world as we have created it is a process of our thinking. It cannot be changed without changing our thinking.”
― Albert Einstein
2 REPLIES
Chris_Powers
Outstanding Contributor.

Re: NA Syslog message format

Hey - this may (or may not) help.  Not sure about the RFC, do recall it's in their documentation...  But what I wanted to mention is NA doesn't get along with all 3rd party syslog apps.  For example, Kiwi - not so much.  May be a way to reconfigure it but it will inject its info into the packet and NA doesn't process it and trigger a snapshot (or at least what we found).  Saw this same thing with another vendor but years ago and don't recall what it was.  Syslog NG - works fine.  

So, in case you end up using someone else for syslog forwarding and you don't get snapshots, turn up logging, take a look at the syslog messages coming into NA and see if the packet has been messed with.  

Hope this helps,

Chris

agonza
Super Contributor.

Re: NA Syslog message format

NA is tokeninzing the syslog relay added header by the space character and extracts the relevant indexed string.

There are currently two generally available syslog RFC standards:

RFC 3164

  • this is the default RFC format supported by NA, token index = 3
  • Example:
<13>May  16 17:01:19 192.168.5.18 <189>477: May 16 17:01:19: %SYS-5-CONFIG_I: Configured from console by rw on vty0 (10.1.1.1)
  • Tokenized syslog relay string: <13>May         16             17:01:19    xxx.xxx.x.xx
 index0           index1          index2         index3


RFC 5424

  • new RFC, token index = 2
  • Configure NA to use this format by adding the following option into <NA_Home>/jre/adjustable_options.rcx and restart NA:
<option name="changedetection/parser/index">2</option>
  • Example:
<45>1 2013-11-14T01:33:30+00:00 CiscoNexus - - - - 2013 Nov 13 20:33:30.116 EST: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by nasm on xx.xxx.xxx.xx@pts/0
  • Tokenized syslog relay string: <45>1         2013-11-14T01:33:30+00:00     CiscoNexus
  index0         index1                                              index2


Note: if the device hostname is specified instead of the IP address, it needs to be resolvable on the NA OS.

Troubleshooting:

  • Set to TRACE in Admin - Troubleshooting: device/syslog, feature/changedetection
  • Have the relay send the syslog mesage
  • Look in <NA_Home>/server/log/jboss_wrapper.log file


Examples:

RFC 3164:

{feature/changedetection} [WorkerThread#0[1.2.3.4:44847]] 10 ChangeDetectionEJB:  Syslog Message: <189>May 16 17:01:19 192.168.16.45 <189>477: May 16 17:01:19: %SYS-5-CONFIG_I: Configured from vty by nasuser on vty0 (xx.xxx.xxx.x) -
{device/syslog} [WorkerThread#0[1.2.3.4:44847]] 10 SyslogNAMessageParser: Using Index: 3
{feature/changedetection} [WorkerThread#0[1.2.3.4:44847]] 10 ChangeDetectionEJB: Got IP: xxx.xxx.xx.xx senderIP: xx.xx.x.xxx rfcCompliant: true user: null
{feature/changedetection} [WorkerThread#0[1.2.3.4:44847]] 00 ChangeDetectionEJB: Will process change detection for all devices in all realms with the ip xxx.xxxxxxx

RFC 5424:

{feature/changedetection} [WorkerThread#1[1.2.3.4:44879]] 10 ChangeDetectionEJB:  Syslog Message: <189>1 2013-11-14T01:33:30+00:00 xx.xxx.xxx.xx - - - - 2013 Nov 13 20:33:30.116 EST: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by nasm on xx.xxx.xxx.xx@pts/0 -
{device/syslog} [WorkerThread#1[1.2.3.4:44879]] 10 SyslogNAMessageParser: Using Index: 2 -
{feature/changedetection} [WorkerThread#1[1.2.3.4:44879]] 10 ChangeDetectionEJB: Got IP: 192.168.16.45 senderIP: xx.xxx.xxx.xxrfcCompliant: true user: null -
{feature/changedetection} [WorkerThread#1[1.2.3.4:44879]] 10 ChangeDetectionEJB: Processing syslog message for device with ip= xx.xxx.xxx.xx user= u:null:u -
{feature/changedetection} [WorkerThread#1[1.2.3.4:44879]] 00 ChangeDetectionEJB: Will process change detection for all devices in all realms with the ip xx.xxx.xxx.xx -