<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">I doubt this
is classified as a bug. If you simply need help, the mailing list is
more appropriate. <br>
Anyway, doing<br>
<font color="#990000">destination d_whatever {<br>
tcp('172.16.32.225' template("<$PRI>$MONTH_ABBREV $DAY $YEAR
$HOUR:$MIN:$SEC: $MSGHDR $MSGONLY"));<br>
};</font><br>
might get you what you want.<br>
</font></font><br>
Sent: Wednesday, June 30, 2010 6:49:50 PM<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:bugzilla@bugzilla.balabit.com">bugzilla@bugzilla.balabit.com</a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <br>
Subject: [syslog-ng] [Bug 91] New: Cisco ASA log parsing issues
<blockquote cite="mid:bug-91-3@https.bugzilla.balabit.com%2F"
type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="https://bugzilla.balabit.com/show_bug.cgi?id=91">https://bugzilla.balabit.com/show_bug.cgi?id=91</a>
Summary: Cisco ASA log parsing issues
Product: syslog-ng
Version: 3.1.x
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: unspecified
Component: syslog-ng
AssignedTo: <a class="moz-txt-link-abbreviated" href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>
ReportedBy: <a class="moz-txt-link-abbreviated" href="mailto:jon@jonjames.net">jon@jonjames.net</a>
Type of the Report: bug
Estimated Hours: 0.0
Orignal LOG as seen my TCPDUMP
16:42:08.734684 IP 172.16.32.157.syslog > 172.16.32.172.syslog: SYSLOG local4.notice, length: 95
E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
After being relayed as seen my TCPDUMP
16:42:59.208826 IP 172.16.32.172.33753 > 172.16.32.225.syslog: SYSLOG local4.notice, length: 120
<a class="moz-txt-link-abbreviated" href="mailto:E...a.@.@">E...a.@.@</a>.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being
from a cisco asa.
Is there a way to update the log parser in syslog to resolve this issue ?
syslog-ng.conf (parts)
@version: 3.0
options {
time_sleep(30);
time_reap(30);
mark_freq(30);
dns_cache(yes);
use_fqdn(no);
keep_hostname(yes);
chain_hostnames(no);
use_dns(no);
dns_cache_size(250000);
dns_cache_expire(300);
dns_cache_expire_failed(300);
stats_freq(3600);
log_msg_size(10000);
};
source s_extranet {
udp(ip("172.16.32.172") port(514));
};
log {
source(s_extranet);
destination(d_syslog_udp);
};
destination d_syslog_udp {
syslog("172.16.32.225"
transport("udp") port(514));
};
</pre>
</blockquote>
</body>
</html>