Skip to main content

Hi Team,

I need to obtain a list of devices that have syslog enabled as well as those that do not. I have checked the Forward Library and the community but could not find any relevant queries for this purpose. Could you please assist me in generating the list of devices with syslog enabled and those without it? Thank you!

One NQE Query I tried by myself, with the help of some other NQEs,  Can you check if I am close to requirement or not and what should be the actual query to fetch this data ?

foreach device in network.devices

let outputs = device.outputs

where isPresent(outputs.bluecat)

let bluecat = outputs.bluecat

where isPresent(bluecat.config)

let config = bluecat.config

foreach item in config.items

where isPresent(item.data)

let data = item.data

let services = data.services

let syslog = services.syslog

where isPresent(syslog.configurations) && length(syslog.configurations) > 0

foreach configuration in syslog.configurations

select {

    deviceName: device.name,

    syslogConfiguration: configuration.syslogConfiguration

}

 


Syslog server is not a normalized piece of data in Forward Networks.

However, you can look for a pattern in the configuration (or other command output) that has the syslog server.

Different platforms have different syslog configuration, so you would have to parse each type of config based on the vendor and perhaps event OS version.

For example, in the following query, we parse syslog configuration for Cisco and Arista using two different pattern matches, then list the results together in one table.

syslogPatternCisco = ```
logging server {server:string}
```;

syslogPatternArista = ```
logging host {server:string}
```;

getCiscoServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternCisco)
select { serverIP: match.data.server };

getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };

foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.vendor == Vendor.CISCO
then (foreach server in getCiscoServers(device)
select server.serverIP)
else if device.platform.vendor == Vendor.ARISTA
then (foreach server in getAristaServers(device)
select server.serverIP)
else ["none"]
}

Note that some vendors may not have the syslog configuration as part of the files we collect. For those devices, you may have to use a custom command and parse the data from the custom command output. You could still combine that output into the query above.


Team, based on the same query I tried few more pattern like for F5 devices/Cisco IOS devices but unable to fetch the detail for these.  Can you please help how to proceed with that.  Sharing with you the code:

syslogPatternCisco = ```

logging server {server:string}

```;

 

syslogPatternCiscoIOS = ```

logging server {server:string}

```;

 

syslogPatternArista = ```

logging host {server:string}

```;

 

getCiscoServers(device) =

  foreach match in blockMatches(device.files.config, syslogPatternCisco)

  select { serverIP: match.data.server };

 

getCiscoServersIOS(device) =

  foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)

  select { serverIP: match.data.server };

 

getAristaServers(device) =

  foreach match in blockMatches(device.files.config, syslogPatternArista)

  select { serverIP: match.data.server };

 

foreach device in network.devices

select {

  device: device.name,

  vendor: device.platform.vendor,

  os: device.platform.os,

  servers: if device.platform.vendor == Vendor.CISCO

           then (foreach server in getCiscoServers(device)

                  foreach server in getCiscoServersIOS(device)

                 select server.serverIP)

           else if device.platform.vendor == Vendor.ARISTA

                then (foreach server in getAristaServers(device)

                      select server.serverIP)

         

                else s"none"]

}


@VarunS It would really help if you leverage the code formatter component here in the community to format your query.

Also may I suggest reading these examples for best way to share queries here. Not everyone has access to the same data, so if you can provide a sample (anonymized) of the data others might jump in to help.
 




 

 


Hey Varun, 
Your query is working ok for me.  I modified it to match on OS rather than vendor, but it is picking up the syslog servers ok.  Are you sure there are servers in the collected configuration files to match on?

I only have IOS XE in my lab at the moment, so I matched on that.  syslogPatternCiscoIOS is unused.

Cheers,

Mullers

My version:

syslogPatternCiscoIOSXE = ```
logging host {server:string}
```;

syslogPatternCiscoIOS = ```
logging server {server:string}
```;

syslogPatternArista = ```
logging host {server:string}
```;

getCiscoServersIOSXE(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOSXE)
select { serverIP: match.data.server };

getCiscoServersIOS(device) =
foreach match in blockMatches(device.files.config, syslogPatternCiscoIOS)
select { serverIP: match.data.server };

getAristaServers(device) =
foreach match in blockMatches(device.files.config, syslogPatternArista)
select { serverIP: match.data.server };

foreach device in network.devices
select {
device: device.name,
vendor: device.platform.vendor,
os: device.platform.os,
servers: if device.platform.os == OS.IOS_XE
then (foreach server in getCiscoServersIOSXE(device)
select server.serverIP)
else if device.platform.os == OS.ARISTA_EOS
then (foreach server in getAristaServers(device)
select server.serverIP)
else l"none"]}





 


Hey Team,

I followed the suggestion from ​@Mullers, and it worked for nearly all cases. However, when I applied this to F5 devices using a custom command, I was unable to retrieve the data. While I can successfully fetch the syslog server details through the custom command, I am having trouble getting the same results using the NQE Query with patterns. Could you please assist me with the F5 devices? This would also be beneficial for my work with Fortinet devices.
Thank you!


Hi Varun,

Is your F5 config a bit like this?
 

sys syslog {
remote-servers {
syslogA {
host 192.168.1.1
}
syslogB {
host 192.168.2.1
}
}
}

 

Cheers 


Hi Varun,

Is your F5 config a bit like this?
 

sys syslog {
remote-servers {
syslogA {
host 192.168.1.1
}
syslogB {
host 192.168.2.1
}
}
}

 

Cheers 

Yes Correct !!


Could you share your pattern that you’re matching on for the F5 devices?  


syslogPatternF5_SPGI = ```
list sys syslog {host:string}
network {network:string}
```;
getF5Servers(device) =
foreach match in blockMatches(device.files.config, syslogPatternF5_SPGI)
select { serverIP: match.data.network };

foreach device in network.devices
where device.platform.os == OS.F5
select {
device: device.name,
vendor: device.platform.vendor,

Tags: device.tagNames,
servers: if device.platform.os == OS.F5
then (foreach server in getF5Servers(device)
select server.serverIP)
else ["none"]
}

this is what currently I am using


I think list sys syslog remote-servers is the command you need to issue, maybe as a custom command.   It isn’t the pattern you want to be matching on, which I think should be more like:

 

syslogPatternF5_SPGI = ```
sys syslog
remote-servers
{host:string}
host{syslogIp:string}
```;

 


syslogPatternF5 = ```
sys syslog
remote-servers
{host:string}
host {syslogIp:string}
```;

getF5Servers(device) =
foreach match in blockMatches(device.files.config, syslogPatternF5)
select { serverIP: match.data.syslogIp };

foreach device in network.devices
where device.platform.os == OS.F5
select {
device: device.name,
vendor: device.platform.vendor,

Tags: device.tagNames,
servers: if device.platform.os == OS.F5
then (foreach server in getF5Servers(device)
select server.serverIP)
else ["none"]
}

I am currently using this entire script, but it is still not retrieving the syslog server IP in the output. Are any further modifications needed to get output from this NQE Query?


Its sorted, thanks ​@Mullers for your help


Ah!    Good news - what was the issue?


pattern = ```
sys syslog
remote-servers
{host:string}
host {syslogIp:string}
```;

getServers(device) =
foreach command in device.outputs.commands
where command.commandText == "list sys syslog"
let filtered_response = replace(command.response, "{", "")
let filtered_response = replace(filtered_response, "}", "")
let blocks = parseConfigBlocks(OS.F5, filtered_response)
foreach match in blockMatches(blocks, pattern)
select {server1: match.data.syslogIp
};

foreach device in network.devices
let snapshotInfo = device.snapshotInfo

where device.platform.os == OS.F5
select {
device: device.name,
"IP Address":snapshotInfo.collectionIp,
os: device.platform.os,
Tags: device.tagNames,
server1: max(getServers(device))?.server1

}

I am currently using this method, which has been successfully generating data for me. Although I have not yet identified the issue with the previous method, my main priority is to achieve results. Consequently, I opted to try this approach, and it has worked effectively.


Reply