cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Changing syslog message received

Jump to solution

I'm getting a syslog from Cisco ACS and it reads like this on Kiwi:

Dec  1 18:44:56 10.16.162.129- sv-chof-acs01.na.bluecap123.net  CisACS_01_PassedAuth 1as18p83x 1 0 User-Name=pete,Access Device=SW-CHCL-EXC2

I would like to edit this message to omit some of the garbage I don't care about and display something like this: 

PassedAuth -  User-Name=pete,Access Device=SW-CHCL-EXC2

Does anyone know of a way to modify incoming syslog messages?

Any help would be appreciated. 

Pete

0 Kudos
1 Solution

In NPM you can create filters against Syslog and then using variables pull specific portions of the variables and put in the action message. 

View solution in original post

8 Replies
Level 7

Hi again,

This answer was done with Kiwi syslog server.  Is there a way to do this same thing using Orion NPM?

0 Kudos

In NPM you can create filters against Syslog and then using variables pull specific portions of the variables and put in the action message. 

View solution in original post

Can you give me an example or screenshot of how to "using variables pull specific portions of the variables" ?  I'm trying to do this same thing, I've got a log message coming in and am trying to strip out all the info I do not need and then fwd the message on.

0 Kudos
Level 12

Hi Pete,

You can use a RunScript action to parse the Cisco ACS syslog messages, and reformat the syslog message to suit your needs.

Attached is a sample script (screenshot for the Rule config to follow).

Screenshot

Ok, thanks that pretty much works.  I'm not a VB Script guy but I was wondering if there was a way you could leave in the TAG sections in the altered message (CisACS_01_PassedAuth or CisACS_02_FailedAuth).  Also, is there a way to go one step further and forward the modified syslog as a SNMP trap to another device?  I have an action rule to send a trap but if I put it before the parse script, it sends the original message, if I put it after, it doesn't sent a trap at all.

0 Kudos

Thank again Kuz.  The script works great!  Also if you ever hear of a way to add the TAG field back into the modified syslog messages, let me know,

Thanks!

Pete

0 Kudos

Never mind about the part about sending a trap.  I figured it out.  Thanks

0 Kudos