<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">If I recall
correctly its because cisco equipment doesnt terminate its log entries
with newlines, so when sending via TCP, syslog-ng thinks the message is
going to be continued in another packet (UDP is assumed to be 1 packet
per log entry).<br>
The only way to fix this is an ugly hack to set the timeout so that
when it doesnt get a reply within a certain time, it assumes the log
entry ended. but if several log entries are sent within the timeout,
then they'll all be mashed together into 1 syslog-ng entry.<br>
<br>
</font></font><br>
Sent: Tuesday, August 17, 2010 12:28:28 PM<br>
From: Clayton Dukes <a class="moz-txt-link-rfc2396E" href="mailto:cdukes@gmail.com"><cdukes@gmail.com></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: [syslog-ng] TCP recv bug in syslog-ng v2.09?
<blockquote
cite="mid:AANLkTi=4aGY73KMju1txvn2taetd3uWKP2SvVA01Cp-1@mail.gmail.com"
type="cite">Hey guys,
<div>Are there any known bugs for syslog-ng v2.09 that won't allow a
cisco router to send logs over tcp?</div>
<div>I can see a connection established in syslog-ng.</div>
<div>I also see the message come in via tcpdump, but nothing in
syslog-ng's output.</div>
<div>If I change the router from tcp to udp, messages come in as
expected.</div>
<div><br>
</div>
<div><b>Router config:</b></div>
<div><br>
</div>
<div>logging source-interface Loopback0 </div>
<div>logging <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.150;majoshi@cisco.com"
target="_self">172.18.224.150</a> </div>
<div>logging host <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.190;majoshi@cisco.com"
target="_self">172.18.224.190</a> transport tcp</div>
<div class="right"><br>
</div>
<div class="right"><br>
</div>
<div><b>syslog-ng config:</b></div>
<div><br>
</div>
<div>
<div>source s_all {</div>
<div> udp();</div>
<div> tcp(ip(11.31.130.99) port(8002) max-connections(300));</div>
<div> tcp(ip(172.18.224.190) port(601) max-connections(300));</div>
<div>};</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><b>debug output:</b></div>
<div>I commented out the line above for the other interface
(11.31.130.99), restarted and this is all I see:</div>
<div>Syslog connection accepted; from='AF_INET<a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C%2814.3.23.50;majoshi@cisco.com"
target="_self">(14.3.23.50</a>:63845)', to='AF_INET<a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C%28172.18.224.190;majoshi@cisco.com"
target="_self">(172.18.224.190</a>:601)'<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><b>tcpdump:</b></div>
<div><br>
</div>
<div>
<div>14:13:46.914566 IP (tos 0x0, ttl 251, id 4303, offset 0, flags
[none], proto TCP (6), length 134)</div>
<div> 14.3.23.50.63845 > xxx.com.601: Flags [.], seq 230:324,
ack 1, win 4128, length 94</div>
<div><br>
</div>
<div><br>
</div>
<div><b>Router debug:</b></div>
<div><br>
</div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:19<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.772;majoshi@cisco.com" target="_self">.772</a>:
%SYS<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C-5-;majoshi@cisco.com" target="_self">-5-</a>CONFIG_I:
Configured from console by pnoc on vty<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title=""
href="tricon:40,-1%7C0%20%28172.18.224.151%29;majoshi@cisco.com"
target="_self">0 (172.18.224.151)</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:20<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.776;majoshi@cisco.com" target="_self">.776</a>:
Released port <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C15205;majoshi@cisco.com" target="_self">15205</a>
in Transport Port Agent for TCP IP type 1 delay <a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C240000;majoshi@cisco.com" target="_self">240000</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:20<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.776;majoshi@cisco.com" target="_self">.776</a>:
TCB 0x<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C850;majoshi@cisco.com" target="_self">850</a>F<a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C9754;majoshi@cisco.com" target="_self">9754</a>
destroyed </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
created </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
setting property TCP_PID <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C%288%29%20845083;majoshi@cisco.com"
target="_self">(8) 845083</a>E4</div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
setting property TCP_NO_DELAY <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C%281%29%20845083;majoshi@cisco.com"
target="_self">(1) 845083</a>E8</div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
setting property TCP keepalive timeout <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C%2817%29%20845084;majoshi@cisco.com"
target="_self">(17) 845084</a>A0 </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCP: Random local port generated <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C63845;majoshi@cisco.com" target="_self">63845</a>,
network 1 </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
bound to <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C14.3.23.50.63845;majoshi@cisco.com"
target="_self">14.3.23.50.63845</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
Reserved port <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C63845;majoshi@cisco.com" target="_self">63845</a>
in Transport Port Agent for TCP IP type 1 </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCP: sending SYN, seq <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C3300233565;majoshi@cisco.com"
target="_self">3300233565</a>, ack 0 </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCP0: Connection to <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.190;majoshi@cisco.com"
target="_self">172.18.224.190</a>:601, advertising MSS <a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C536;majoshi@cisco.com" target="_self">536</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.775;majoshi@cisco.com" target="_self">.775</a>:
TCP0: state was CLOSED -> SYNSENT [<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C63845%20-;majoshi@cisco.com"
target="_self">63845 -</a>> <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title=""
href="tricon:40,-1%7C172.18.224.190%28601%29;majoshi@cisco.com"
target="_self">172.18.224.190(601)</a>] </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.779;majoshi@cisco.com" target="_self">.779</a>:
TCP0: state was SYNSENT -> ESTAB [<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C63845%20-;majoshi@cisco.com"
target="_self">63845 -</a>> <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title=""
href="tricon:40,-1%7C172.18.224.190%28601%29;majoshi@cisco.com"
target="_self">172.18.224.190(601)</a>] </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.779;majoshi@cisco.com" target="_self">.779</a>:
TCP: tcb <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
connection to <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.190;majoshi@cisco.com"
target="_self">172.18.224.190</a>:601, peer MSS <a
moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C1460;majoshi@cisco.com" target="_self">1460</a>,
MSS is <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C536;majoshi@cisco.com" target="_self">536</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.779;majoshi@cisco.com" target="_self">.779</a>:
TCB<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C83648;majoshi@cisco.com" target="_self">83648</a>E60
connected to <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.190.601;majoshi@cisco.com"
target="_self">172.18.224.190.601</a> </div>
<div>*Aug <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C17%2017;majoshi@cisco.com" target="_self">17
17</a>:34:25<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C.779;majoshi@cisco.com" target="_self">.779</a>:
%SYS<a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C-6-;majoshi@cisco.com" target="_self">-6-</a>LOGGINGHOST_STARTSTOP:
Logging to host <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C172.18.224.190;majoshi@cisco.com"
target="_self">172.18.224.190</a> port <a moz-do-not-send="true"
style="border-bottom: 1px solid; color: rgb(0, 102, 204); text-decoration: none;"
title="" href="tricon:40,-1%7C601;majoshi@cisco.com" target="_self">601</a>
started - reconnection<br>
</div>
<div><br>
</div>
______________________________________________________________ <br>
<br>
Clayton Dukes<br>
______________________________________________________________<br>
</div>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>