diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf index 8c08664..a1e751d 100644 --- a/package/etc/conf.d/filters/cisco/ucm.conf +++ b/package/etc/conf.d/filters/cisco/ucm.conf @@ -10,4 +10,23 @@ filter f_cisco_ucm_message { '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*) : (%.*)' flags(store-matches) ); -}; \ No newline at end of file +}; + +parser p_cisco_ucm_date { + #Oct 14 2015 05:50:19 AM.484 UTC + #Apr 21 19:01:35.638 UTC + date-parser(format( + '%b %d %Y %I:%M:%S %p.%f %Z', + '%b %d %H:%M:%S.%f %Z' + ) + template("$3")); +}; + +rewrite r_cisco_ucm_message { + set("cisco_ucm" value("fields.sc4s_syslog_format")); + set("cisco_ucm" value("fields.sc4s_vendor_product")); + set("$HOST_FROM" value("HOST") ); + set("$2" value("HOST") condition(match("^..." template("${2}"))) ); + set("$4" value("MESSAGE")); +}; + diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 6eea6df..1e4b488 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -89,22 +89,8 @@ source s_{{ .port_id }} { parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); {{ else if eq .parser "cisco_ucm" }} - parser { - #Oct 14 2015 05:50:19 AM.484 UTC - #Apr 21 19:01:35.638 UTC - date-parser(format( - '%b %d %Y %I:%M:%S %p.%f %Z', - '%b %d %H:%M:%S.%f %Z' - ) - template("$3")); - }; - rewrite { - set("cisco_ucm" value("fields.sc4s_syslog_format")); - set("cisco_ucm" value("fields.sc4s_vendor_product")); - set("$HOST_FROM" value("HOST") ); - set("$2" value("HOST") condition(match("^..." template("${2}"))) ); - set("$4" value("MESSAGE")); - }; + parser (p_cisco_ucm_date); + rewrite (r_cisco_ucm_message); {{ else if eq .parser "no_parse" }} rewrite(set_no_parse); {{ else }} @@ -119,22 +105,8 @@ source s_{{ .port_id }} { rewrite(set_rfc5424_epochtime); } elif { filter(f_cisco_ucm_message); - parser { - #Oct 14 2015 05:50:19 AM.484 UTC - #Apr 21 19:01:35.638 UTC - date-parser(format( - '%b %d %Y %I:%M:%S %p.%f %Z', - '%b %d %H:%M:%S.%f %Z' - ) - template("$3")); - }; - rewrite { - set("cisco_ucm" value("fields.sc4s_syslog_format")); - set("cisco_ucm" value("fields.sc4s_vendor_product")); - set("$HOST_FROM" value("HOST") ); - set("$2" value("HOST") condition(match("^..." template("${2}"))) ); - set("$4" value("MESSAGE")); - }; + parser (p_cisco_ucm_date); + rewrite (r_cisco_ucm_message); } elif { filter(f_rfc3164_version); rewrite(set_rfc3164_no_version_string);