<p dir="ltr">Hi,</p>
<p dir="ltr">What kind of patch is this? It patches syslog-ng or it changes the file? How does that work?</p>
<p dir="ltr">On the server side you can of course use filters to achieve the filtering you want, using something along the lines of:</p>
<p dir="ltr">filter f_brokencisco { not message("<regexp>"); };</p>
<p dir="ltr">And then attaching this filter to your logpath.</p>
<p dir="ltr">But it seems easier to fix the message earlier.</p>
<div class="gmail_quote">On May 18, 2015 9:26 PM, "Alan Sam" <<a href="mailto:samsiu.a@gmail.com">samsiu.a@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello Community,</div><div><br></div><div>Thank you all for your help regarding this issue reported.</div><div><br></div><div>We finally concluded that Cisco devide is sending the log in two different lines. </div><div><br></div><div>Now we have a new situation regarding the syslog-ng configuration file:</div><div><br></div><div>- A patch had to be created in order to concat the log. </div><div><br></div><div>- The logs that arrive to the server with syslog-ng come like this:</div><div><span style="white-space:pre-wrap"> </span>Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)</div><div><span style="white-space:pre-wrap"> </span>Mar 13 10:33:14 PE06PVAL01 1182435: received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D</div><div><span style="white-space:pre-wrap"> </span></div><div>- The patch concats the log and generates a new line that is inserted into the same cisco log file:</div><div><span style="white-space:pre-wrap"> </span>Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D</div><div><br></div><div>- This new line that has the whole log line is sent to another server (let us call it Server X) with a syslog-ng tool running</div><div><br></div><div>- On server X, i get these two log lines:</div><div><span style="white-space:pre-wrap"> </span>Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)</div><div><span style="white-space:pre-wrap"> </span>Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix XXX:XXX:XX.X.XXX.0/24 from A.B.C.D</div><div><br></div><div>The question is:</div><div>Is there a way to configure the syslog-ng in Server X so that:</div><div><span style="white-space:pre-wrap"> </span>- Discards the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS label (1)"</div><div><span style="white-space:pre-wrap"> </span>- Accepts the log line that contains "BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix"</div><div><span style="white-space:pre-wrap"> </span>- Accepts all other logs</div><div><span style="white-space:pre-wrap"> </span></div><div><br></div><div>The syslog-ng configuration file on Server X is the following:</div><div><br></div><div>> cat /etc/syslog-ng.conf</div><div>#@version: 3.0</div><div># syslog-ng configuration file for the server.</div><div>#</div><div># See syslog-ng(8) and syslog-ng.conf(8) for more information.</div><div>#</div><div><br></div><div>options { flush_lines (0);</div><div> time_reopen (10);</div><div> log_fifo_size (10000);</div><div> long_hostnames (off);</div><div> use_dns (yes);</div><div> create_dirs (yes);</div><div> keep_hostname (yes);</div><div> };</div><div><br></div><div># Client Source</div><div>source s_local { internal(); };</div><div>source s_syslog_udp { udp(port(514)); };</div><div><br></div><div># Server Source</div><div>source s_juniper_tcp { tcp(port(1001) keep-alive(yes)); };</div><div>source s_cisco_tcp { tcp(port(1002) keep-alive(yes)); };</div><div><br></div><div># Client Destination</div><div>destination d_local { file("/var/adm/syslog/syslog-ng.log"); };</div><div>destination d_juniper_tcp { file("/var/adm/syslog/juniper.log"); };</div><div>destination d_cisco_tcp { file("/var/adm/syslog/cisco.log"); };</div><div><br></div><div># Server Destination</div><div>destination d_syslog { file("/var/adm/syslog/syslog.log"); };</div><div>destination d_mail { file("/var/adm/syslog/mail.log"); };</div><div><br></div><div># Server Filter</div><div>filter f_mail { facility(mail) and level(debug .. emerg); };</div><div>filter f_syslog { level(info .. emerg) and not facility(mail) and not program(syslog-ng); };</div><div>filter f_syslog-ng { program(syslog-ng); };</div><div><br></div><div><br></div><div># Client Log</div><div>log { source(s_local); destination(d_local); destination(d_syslog); };</div><div>log { source(s_syslog_udp); destination(d_syslog); };</div><div><br></div><div># Server Log</div><div>log { source(s_local); filter(f_syslog-ng); destination(d_syslog); };</div><div>log { source(s_local); filter(f_mail); destination(d_mail); };</div><div>log { source(s_local); filter(f_syslog); destination(d_syslog); };</div><div>log { source(s_juniper_tcp); destination(d_juniper_tcp); };</div><div>log { source(s_cisco_tcp); destination(d_cisco_tcp); };</div><div> <span style="white-space:pre-wrap"> </span></div><div><br></div><div><span style="white-space:pre-wrap"> </span></div><div>Thank you so much for your help.</div><div><br></div><div>Best regards,</div><div>Alan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 8, 2015 at 5:37 AM, PÁSZTOR György <span dir="ltr"><<a href="mailto:pasztor@linux.gyakg.u-szeged.hu" target="_blank">pasztor@linux.gyakg.u-szeged.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span><br>
"Sandor Geller" <<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a>> írta 2015-05-08 09:32-kor:<br>
> Wow, it was really 'low resolution'. Zooming in showed that there isn't<br>
> any kind of UDP packet fragmentation happening (not surprising, the<br>
<br>
</span>That's what, why I asked a pcap file.<br>
It would required smaller attached file, and would gave us more info.<br>
I found a new theory, based on: 1 pic ~= 1 Mword<br>
1 pcap ~= 1000 pic!<br>
<span><br>
> kernel would reassembele fragments transparently to syslog-ng) but the<br>
> sender device actually splits the logs into multiple packets so<br>
> syslog-ng does exactly what it should do. Yet another broken syslog<br>
> implementation on Cisco's side :(<br>
<br>
</span>As basically all of their syslog implementation.<br>
<span><br>
> I'm not aware of how such logs could get concatenated without writing an<br>
> app which postprocesses the logs.<br>
<br>
</span>That's another thing, I asked a pcap file. I gave up.<br>
Maybe there is a chance to do that with some patterndb magic, where we can<br>
"process" and "correlate", etc.<br>
<br>
Kind regards,<br>
Gyu<br>
<div><div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>