Hi Team,
I need to obtain a list of devices that have syslog enabled as well as those that do not. I have checked the Forward Library and the community but could not find any relevant queries for this purpose. Could you please assist me in generating the list of devices with syslog enabled and those without it? Thank you!
One NQE Query I tried by myself, with the help of some other NQEs, Can you check if I am close to requirement or not and what should be the actual query to fetch this data ?
foreach device in network.devices
let outputs = device.outputs
where isPresent(outputs.bluecat)
let bluecat = outputs.bluecat
where isPresent(bluecat.config)
let config = bluecat.config
foreach item in config.items
where isPresent(item.data)
let data = item.data
let services = data.services
let syslog = services.syslog
where isPresent(syslog.configurations) && length(syslog.configurations) > 0
foreach configuration in syslog.configurations
select {
deviceName: device.name,
syslogConfiguration: configuration.syslogConfiguration
}
Syslog server is not a normalized piece of data in Forward Networks.
However, you can look for a pattern in the configuration (or other command output) that has the syslog server.
Different platforms have different syslog configuration, so you would have to parse each type of config based on the vendor and perhaps event OS version.
For example, in the following query, we parse syslog configuration for Cisco and Arista using two different pattern matches, then list the results together in one table.
syslogPatternCisco = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternCisco)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.vendor == Vendor.CISCO
then (foreach server in getCiscoServers(device)
select server.serverIP)
else if device.platform.vendor == Vendor.ARISTA
then (foreach server in getAristaServers(device)
select server.serverIP)
else ["none"]
}
Note that some vendors may not have the syslog configuration as part of the files we collect. For those devices, you may have to use a custom command and parse the data from the custom command output. You could still combine that output into the query above.
Team, based on the same query I tried few more pattern like for F5 devices/Cisco IOS devices but unable to fetch the detail for these. Can you please help how to proceed with that. Sharing with you the code:
syslogPatternCisco = ```
logging server {server:string}
```;
syslogPatternCiscoIOS = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternCisco)
select { serverIP: match.data.server };
getCiscoServersIOS(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.vendor == Vendor.CISCO
then (foreach server in getCiscoServers(device)
foreach server in getCiscoServersIOS(device)
select server.serverIP)
else if device.platform.vendor == Vendor.ARISTA
then (foreach server in getAristaServers(device)
select server.serverIP)
else s"none"]
}
Also may I suggest reading these examples for best way to share queries here. Not everyone has access to the same data, so if you can provide a sample (anonymized) of the data others might jump in to help.
Hey Varun,
Your query is working ok for me. I modified it to match on OS rather than vendor, but it is picking up the syslog servers ok. Are you sure there are servers in the collected configuration files to match on?
I only have IOS XE in my lab at the moment, so I matched on that. syslogPatternCiscoIOS is unused.
Cheers,
Mullers
My version:
syslogPatternCiscoIOSXE = ```
logging host {server:string}
```;
syslogPatternCiscoIOS = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServersIOSXE(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOSXE)
select { serverIP: match.data.server };
getCiscoServersIOS(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.os == OS.IOS_XE
then (foreach server in getCiscoServersIOSXE(device)
select server.serverIP)
else if device.platform.os == OS.ARISTA_EOS
then (foreach server in getAristaServers(device)
select server.serverIP)
else l"none"]}
Hey Team,
I followed the suggestion from
Thank you!
Hi Varun,
Is your F5 config a bit like this?
sys syslog {
remote-servers {
syslogA {
host 192.168.1.1
}
syslogB {
host 192.168.2.1
}
}
}
Cheers
Hi Varun,
Is your F5 config a bit like this?
sys syslog {
remote-servers {
syslogA {
host 192.168.1.1
}
syslogB {
host 192.168.2.1
}
}
}
Cheers
Yes Correct !!
Could you share your pattern that you’re matching on for the F5 devices?
syslogPatternF5_SPGI = ```
list sys syslog {host:string}
network {network:string}
```;
getF5Servers(device) =
foreach match in blockMatches(device.files.config, syslogPatternF5_SPGI)
select { serverIP: match.data.network };
foreach device in network.devices
where device.platform.os == OS.F5
select {
device: device.name,
vendor: device.platform.vendor,
Tags: device.tagNames,
servers: if device.platform.os == OS.F5
then (foreach server in getF5Servers(device)
select server.serverIP)
else ["none"]
}
this is what currently I am using
I think list sys syslog remote-servers
is the command you need to issue, maybe as a custom command. It isn’t the pattern you want to be matching on, which I think should be more like:
syslogPatternF5_SPGI = ```
sys syslog
remote-servers
{host:string}
host{syslogIp:string}
```;
syslogPatternF5 = ```
sys syslog
remote-servers
{host:string}
host {syslogIp:string}
```;
getF5Servers(device) =
foreach match in blockMatches(device.files.config, syslogPatternF5)
select { serverIP: match.data.syslogIp };
foreach device in network.devices
where device.platform.os == OS.F5
select {
device: device.name,
vendor: device.platform.vendor,
Tags: device.tagNames,
servers: if device.platform.os == OS.F5
then (foreach server in getF5Servers(device)
select server.serverIP)
else ["none"]
}
I am currently using this entire script, but it is still not retrieving the syslog server IP in the output. Are any further modifications needed to get output from this NQE Query?
Its sorted, thanks
Ah! Good news - what was the issue?
pattern = ```
sys syslog
remote-servers
{host:string}
host {syslogIp:string}
```;
getServers(device) =
foreach command in device.outputs.commands
where command.commandText == "list sys syslog"
let filtered_response = replace(command.response, "{", "")
let filtered_response = replace(filtered_response, "}", "")
let blocks = parseConfigBlocks(OS.F5, filtered_response)
foreach match in blockMatches(blocks, pattern)
select {server1: match.data.syslogIp
};
foreach device in network.devices
let snapshotInfo = device.snapshotInfo
where device.platform.os == OS.F5
select {
device: device.name,
"IP Address":snapshotInfo.collectionIp,
os: device.platform.os,
Tags: device.tagNames,
server1: max(getServers(device))?.server1
}
I am currently using this method, which has been successfully generating data for me. Although I have not yet identified the issue with the previous method, my main priority is to achieve results. Consequently, I opted to try this approach, and it has worked effectively.
Reply
Sign up
Already have an account? Login
Welcome to the Forward Networks Community
Select a login option:
Register / Login Forward Employee LoginEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.