Support Cisco IOS Structured Data (session-id and sequence-num-session) in RFC 3164 #35
Description
Description
Cisco IOS devices can embed RFC 5424-style structured data blocks in RFC 3164 syslog messages when configured with logging host session options.
This is currently not supported by the RFC3164 parser.
Current Status
PR #22 added support for:
✅ Syslog message counter (<189>237:)
✅ Service sequence number (000485:)
✅ Plain hostname field (unverified because no test data available)
However, it does not support structured data blocks that Cisco inserts with certain logging configurations.
logging host 10.0.0.10 session-id {hostname | ipv4 | ipv6 | string <text>}
logging host 10.0.0.10 sequence-num-session
My understanding is that when these options are configured, Cisco sends messages in this format:
<PRI>msgcount: [syslog@9 s_sn="X" s_id="Y"]: [sequence:] timestamp: message
The structured data block appears between the message counter and service sequence number, not at the end.
Real-World Examples
From packet captures in PR #22 discussion:
<189>98: [syslog@9 s_sn="9"]: *Jan 1 2006 23:15:29.365: %SYS-6-LOGGINGHOST_STARTSTOP: ...
<189>102: [syslog@9 s_id="testswitch:514"]: *Jan 1 2006 23:16:34.813: %SYS-6-LOGGINGHOST_STARTSTOP: ...
<189>111: [syslog@9 s_sn="22" s_id="0.0.0.0:514"]: 000107: *Jan 1 2006 23:18:01.098: %SYS-5-CONFIG_I: ...
Last line is telling a lot...
When encountering structured data, the parser fails:
Error: expecting a hostname (from 1 to max 255 US-ASCII characters) [col 19]
The parser successfully parses the message counter, skips the optional sequence (sees [ instead of digits), then fails when trying to parse the hostname.
Proposed Implementation
To support this feature, the Ragel grammar would need to:
- Add structured data parsing between
msgcountandsequence - Parse RFC5424 structured data format:
[SD-ID param="value" ...] - Extract common parameters:
s_sn→ session sequence numbers_id→ session ID (hostname:port or IP:port)
Updated grammar order would be:
<PRI> msgcount: [structured_data]: sequence: [hostname]: timestamp: message
This is a significant enhancement that would require:
- Ragel grammar restructuring to handle structured data in the middle position
- New fields in
SyslogMessagestruct for session data - Comprehensive test coverage for various combinations
- Distinguishing between a plain hostname field vs. structured data hostname
References
- Cisco documentation: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/command/esm-cr-book/esm-cr-a1.html (search for
session-id) - Packet captures showing structured data in PR feat(rfc3164): extend RFC3164 parser to support Cisco IOS logs #22: dump.zip
Priority
Low.
This is an enhancement for additional Cisco features. The core Cisco IOS support (message counter and service sequence) is functional without this.