Hi Team,
I need to obtain a list of devices that have syslog enabled as well as those that do not. I have checked the Forward Library and the community but could not find any relevant queries for this purpose. Could you please assist me in generating the list of devices with syslog enabled and those without it? Thank you!
Page 1 / 1
One NQE Query I tried by myself, with the help of some other NQEs, Can you check if I am close to requirement or not and what should be the actual query to fetch this data ?
foreach device in network.devices
let outputs = device.outputs
where isPresent(outputs.bluecat)
let bluecat = outputs.bluecat
where isPresent(bluecat.config)
let config = bluecat.config
foreach item in config.items
where isPresent(item.data)
let data = item.data
let services = data.services
let syslog = services.syslog
where isPresent(syslog.configurations) && length(syslog.configurations) > 0
foreach configuration in syslog.configurations
select {
deviceName: device.name,
syslogConfiguration: configuration.syslogConfiguration
}
Syslog server is not a normalized piece of data in Forward Networks.
However, you can look for a pattern in the configuration (or other command output) that has the syslog server.
Different platforms have different syslog configuration, so you would have to parse each type of config based on the vendor and perhaps event OS version.
For example, in the following query, we parse syslog configuration for Cisco and Arista using two different pattern matches, then list the results together in one table.
syslogPatternCisco = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternCisco)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.vendor == Vendor.CISCO
then (foreach server in getCiscoServers(device)
select server.serverIP)
else if device.platform.vendor == Vendor.ARISTA
then (foreach server in getAristaServers(device)
select server.serverIP)
else ["none"]
}Note that some vendors may not have the syslog configuration as part of the files we collect. For those devices, you may have to use a custom command and parse the data from the custom command output. You could still combine that output into the query above.
Team, based on the same query I tried few more pattern like for F5 devices/Cisco IOS devices but unable to fetch the detail for these. Can you please help how to proceed with that. Sharing with you the code:
syslogPatternCisco = ```
logging server {server:string}
```;
syslogPatternCiscoIOS = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternCisco)
select { serverIP: match.data.server };
getCiscoServersIOS(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.vendor == Vendor.CISCO
then (foreach server in getCiscoServers(device)
foreach server in getCiscoServersIOS(device)
select server.serverIP)
else if device.platform.vendor == Vendor.ARISTA
then (foreach server in getAristaServers(device)
select server.serverIP)
else s"none"]
}
Also may I suggest reading these examples for best way to share queries here. Not everyone has access to the same data, so if you can provide a sample (anonymized) of the data others might jump in to help.
Hey Varun,
Your query is working ok for me. I modified it to match on OS rather than vendor, but it is picking up the syslog servers ok. Are you sure there are servers in the collected configuration files to match on?
I only have IOS XE in my lab at the moment, so I matched on that. syslogPatternCiscoIOS is unused.
Cheers,
Mullers
My version:
syslogPatternCiscoIOSXE = ```
logging host {server:string}
```;
syslogPatternCiscoIOS = ```
logging server {server:string}
```;
syslogPatternArista = ```
logging host {server:string}
```;
getCiscoServersIOSXE(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOSXE)
select { serverIP: match.data.server };
getCiscoServersIOS(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)
select { serverIP: match.data.server };
getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };
foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.os == OS.IOS_XE
then (foreach server in getCiscoServersIOSXE(device)
select server.serverIP)
else if device.platform.os == OS.ARISTA_EOS
then (foreach server in getAristaServers(device)
select server.serverIP)
else l"none"]}
Reply
Sign up
Already have an account? Login
Welcome to the Forward Networks Community
Select a login option:
Register / Login Forward Employee LoginEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.