<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
d lists wrote:
<blockquote
cite="mid:7383823e1003251931n5aa49a12taa8db60fd56ca461@mail.gmail.com"
type="cite">
<pre wrap="">On Thu, Mar 25, 2010 at 6:59 PM, Patrick H. <a class="moz-txt-link-rfc2396E" href="mailto:syslogng@feystorm.net"><syslogng@feystorm.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse out
the headers of the message (like date/time, host, facility, etc), and if it
cant figure out the format of the headers, it drops the message. The
no-parse causes the entire message (headers and all if they exist) to get
shoved into the message contents, and it generates new default headers.
So
source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
will become
source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes)
flags('no-parse')); };
</pre>
</blockquote>
<pre wrap=""><!---->
Tried that, no change. I've discovered what I think the problem is
though: The cisco isn't including a LF at the end of each syslog
message. </pre>
</blockquote>
reducing the flush_timeout() may solve it (but it is just my idea).<br>
<blockquote
cite="mid:7383823e1003251931n5aa49a12taa8db60fd56ca461@mail.gmail.com"
type="cite">
<pre wrap="">If I force the router to send enough messages, a buffer must
fill up & I get all the messages at once in a very unreadable format:
Mar 25 20:28:20 10.240.0.254 <189>461: *Mar 26 02:45:22.244:
%SYS-5-CONFIG_I: Configured from console by console<190>462: *Mar 26
02:45:28.244: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.240.0.5
port 2002 started - reconnection<189>463: *Mar 26 02:45:35.336:
%SYS-5-CONFIG_I: Configured from console by console<189>464: *Mar 26
02:45:35.352: %SYS-5-CONFIG_I: Configured from console by
console<189>465: *Mar 26 02:45:35.372: %SYS-5-CONFIG_I: Configured
from console by console<189>...(repeat another 50 times at least)
</pre>
</blockquote>
<br>
At the moment, this kind of CISCO log's format is not supported by
syslog-ng, because it's not syslog format (here is a sequence number
instead of date). However, we are planning to solve it soon (perhaps in
v3.2).<br>
<br>
Until then, I recommend that you should turn off using the
sequence-number on CISCO router. You can do it with the following
command: "no service sequence-numbers" (to turn on: "service
sequence-numbers").<br>
<br>
<br>
<blockquote
cite="mid:7383823e1003251931n5aa49a12taa8db60fd56ca461@mail.gmail.com"
type="cite">
<pre wrap="">
I found a thread for another piece of syslog software that encountered
the same issue:
<a class="moz-txt-link-freetext" href="http://www.gossamer-threads.com/lists/rsyslog/users/1204">http://www.gossamer-threads.com/lists/rsyslog/users/1204</a>
I take it from the lack of people noticing this that there aren't too
many people using TCP to gather syslog from Cisco routers. If anyone
has some suggestions on possible solutions (outside of opening a TAC
case with cisco - which I plan on doing), I am all ears.
Thanks for the quick response! Time to read some more documentation.
</pre>
<blockquote type="cite">
<pre wrap="">If the message does actually have headers, just syslog-ng cant understand
them, you can use rewrite rules and 'set' statements to parse out the
headers and set them manually.
Sent: Thursday, March 25, 2010 5:31:15 PM
From: d lists <a class="moz-txt-link-rfc2396E" href="mailto:dlists95@gmail.com"><dlists95@gmail.com></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>
Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
Hello,
After spending the afternoon trying to get this working, I've decided
to reach out for some help (tried google - no luck!).
</pre>
</blockquote>
<pre wrap=""><!----><snip>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
pzolee
</pre>
</body>
</html>