Another option is to use syslog-ng's extensive re-write capabilities to modify Prime's not-very-standard syslog. Here is my solution for the re-write statement in syslog-ng. It has modified the logs by putting text within the first [] in the program field and also removes extra timestamp causing troubles when processed as syslog message. After this Splunk can process some parts and I'm sure additional fields can be extracted if someone knows what is interesting and what is not.
rewrite r_cisco_prime {
subst('\d*:\d*:\d*\.\d*.\w*',
"",
value("MESSAGE"),
type(pcre)
flags(ignore-case));
subst('\[',
"",
value("MESSAGE"),
type(pcre));
subst("\w*",
"",
value("MESSAGE")
type(pcre));
set("${0}",value("PROGRAM"));
subst('\]',
"",
value("PROGRAM")
type(pcre));
};
... View more