Cisco IOS XR (8000 series) syslog as nix:syslog

[PashFW]

What is the sc4s version ?
3.5

Is there a pcap available?
No, but sample is attached
sample.txt

What the vendor name?
Cisco

What's the product name?
Cisco 8000 Series Routers, IOS XR Release 7+

** Feature Request description: **
Cisco IOS XR declared supported, but it seems doesn't fit the new(?) XR format and matches general nix:syslog when expected to be a flavor of cisco:ios like cisco:ios:xr or cisco:iosxr
Format described here https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/system-monitoring/73x/b-system-monitoring-cg-cisco8k-73x/implementing_system_logging.html
Short diff vs cisco:ios - the %message preceded by node-id, timestamp, process-name delimited by :

** Should it support TCP or UDP?**
not applicable

** Do you want to have it for local usage or prepare a github PR? **
recommended local quick fix is appreciated, but PR sounds right

[PashFW]

man page declaring the IOS XR support https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cisco/cisco_ios/

advertised Splunk Add-on https://splunkbase.splunk.com/app/1467 does NOT have any XR specific props/transforms and no longer supported

[mstopa-splunk]

@PashFW thank you for reporting this and for all the research, it's super helpful. I will try to update the parser by the end of the next week

[mstopa-splunk]

@PashFW Cisco IOS XR logs are not RFC compliant so we need to rely on parts of messages a lot. Please see changes in #2270 and test if image ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2270@sha256:b07de8f2338b7dab926f3ff9e4e580a54affe63cde68b5a425c60cea7a799fd9 covers all your use cases

[mstopa-splunk]

fixed in #2270

[Mosstrow]

Hello @mstopa-splunk ,

The fix was based on incomplete payload which result in an incorrect hostname extraction.

Here is a payload captured with tcpdump:
<190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 19 15:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'

With the current parsing and this log sample, the hostname in splunk is "SSHD" instead of "HOSTNAME"

Can you fix this please ?

Thanks

[mstopa-splunk]

hi @Mosstrow reopened this issue

[mstopa-splunk]

@Mosstrow this works on my end:

echo "<190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514

I'm on SC4S 3.22.0. Please double check and let me know

[mstopa-splunk]

If you still have this problem, please send sc4s_tags

[Mosstrow]

Hi @mstopa-splunk

Sorry for the late reply.

The problem persists, but it's related to the fact that our switch's host name contains an underscore.

echo "<190>290692: HOST_NAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514

Can you correct this ?

Thanks

[mstopa-splunk]

@Mosstrow can you try with the imageghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2399 ?

[Mosstrow]

@mstopa-splunk I've tested it in the LAB and it works very well
Good job!