<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>I setup a syslog-ng 3.9 device to capture a message using<br></div><div><br></div><div>network(transport(tcp) flags(no-parse));</div><div><br></div><div>Here's what was logged:<br></div><div><br></div><div dir="ltr">Sep 11 12:14:51 1.1.1.1 <190>53: Sep 11 16:14:50.588: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host blahblah<br><br></div><div>Followed up with a device that delivers a proper hostname, this is what was logged:</div><div><br></div><div>Sep 11 13:17:39 2.2.2.2 <190>10474: Sep 11 17:17:38.447 UTC: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host blahblah<br></div><div><br></div><div>Looks like the difference is the working device contains a timezone where as the non-working device does not. Everything else is the same however neither contain a hostname like in your example.<br></div><div><br></div><div><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 11, 2018 at 9:45 AM, Budai, László <span dir="ltr"><<a href="mailto:laszlo.budai@oneidentity.com" target="_blank">laszlo.budai@oneidentity.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>instead of reverting the ipv6 heuristic, I propose another solution:</div><div><a href="https://github.com/balabit/syslog-ng/pull/2272" target="_blank">https://github.com/balabit/<wbr>syslog-ng/pull/2272</a></div><div><br></div><div>I think that when a timestamp is followed by a colon(':'), it is part of the timestamp and the (legacy) timestamp parser should 'eat' it.<br></div><div><br></div><div>I tested with the following log:<br></div><div><span class="m_5001920760894036064gmail-blob-code-inner m_5001920760894036064gmail-blob-code-marker-addition"><span class="m_5001920760894036064gmail-pl-s"><0>91: *Oct 07 03:10:04: <a href="http://mydevice.com" target="_blank">mydevice.com</a> <span class="m_5001920760894036064gmail-pl-c1">%C</span>RYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=150.1.1.1, prot=50, spi=0x72662541(1919296833), srcaddr=150.3.1.3</span></span></div><div><span class="m_5001920760894036064gmail-blob-code-inner m_5001920760894036064gmail-blob-code-marker-addition"><span class="m_5001920760894036064gmail-pl-s"><br></span></span></div><div><span class="m_5001920760894036064gmail-blob-code-inner m_5001920760894036064gmail-blob-code-marker-addition"><span class="m_5001920760894036064gmail-pl-s">Could you validate that this is the same format that you have?</span></span><br></div><div><br></div><div>L.<br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 10, 2018 at 4:32 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@oneidentity.com" target="_blank">balazs.scheidler@oneidentity.<wbr>com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>This branch has a patch to revert that specific commit, and I've confirmed that it resolves the issue for me, in exchange for not supporting IPV6 addresses in the hostname field.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 10, 2018 at 3:55 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>This patch broke it:</div><div><br></div><div>399d565e9857e7cb41253e9a714d5c<wbr>c6ad4d50fb.</div><div><br></div><div>This patch can be reverted easily even on the latest master to resolve the issue.<br></div></div></div><div class="m_5001920760894036064m_-5482981200732931473HOEnZb"><div class="m_5001920760894036064m_-5482981200732931473h5"><br><div class="gmail_quote"><div dir="ltr">On Mon, Sep 10, 2018 at 3:16 PM Scheidler, Balázs <<a href="mailto:balazs.scheidler@oneidentity.com" target="_blank">balazs.scheidler@oneidentity.<wbr>com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">This is probably not it, the syslog-parser() changed some behaviours that changed it.</div><br><div class="gmail_quote"><div dir="ltr">On Mon, Sep 10, 2018, 13:45 Budai, László <<a href="mailto:laszlo.budai@oneidentity.com" target="_blank">laszlo.budai@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser [2] and the default network network driver is using it.</div><div>Maybe that could cause your issue. If this is the case, then we have another PR [3] which makes it possible to disable the auto-parse (also part of 3.13).</div><div><br></div><div>Example: <br></div><div>source s_network {<br> default-network-drivers(auto-p<wbr>arse(no));<br>};<br><br></div><div><table class="m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-highlight m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-tab-size m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-js-file-line-container"><tbody><tr><td id="m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-LC14" class="m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-blob-code m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-blob-code-inner m_5001920760894036064m_-5482981200732931473m_-8752580009611113285m_-446578958207021189m_5049968178163612207gmail-js-file-line"></td></tr><tr></tr></tbody></table></div><div>If it not solves your problem then could you share the relevant part of your config?<br></div><div><br></div><div><br></div><div>[1] <a href="https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1" rel="noreferrer" target="_blank">https://github.com/balabit/sys<wbr>log-ng/releases/tag/syslog-ng-<wbr>3.13.1</a><br></div><div>[2] <a href="https://github.com/balabit/syslog-ng/pull/1689" rel="noreferrer" target="_blank">https://github.com/balabit/sys<wbr>log-ng/pull/1689</a></div><div>[3] <a href="https://github.com/balabit/syslog-ng/pull/1788/" rel="noreferrer" target="_blank">https://github.com/balabit/sys<wbr>log-ng/pull/1788/</a><br></div><div><br></div><div><br></div><div>regards,</div><div>Laszlo Budai</div><div><br></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <span dir="ltr"><<a href="mailto:nik@ambrosch.com" rel="noreferrer" target="_blank">nik@ambrosch.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I noticed that some of my cisco devices started being logged in an undesirable format... I don't want to enable the cisco parser because more than just cisco messages get delivered to this interface. Here are the relevant fields that have changed before/after the upgrade:<br><br>syslog-ng 3.9, before upgrade ---<br> ${FULLHOST}: "<a href="http://mydevice.com" rel="noreferrer" target="_blank">mydevice.com</a>"<br> ${PROGRAM}: ""<br> message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for..."<br><br>syslog-ng 3.15, before upgrade ---<br> ${FULLHOST}: ":"<br> ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"<br> ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."<br><br><br>Is this unintended behavior or a bug? This particular device is a Cisco 3845 running ios 12.4(22)T4.<br><br>Thanks in advance.<br></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div><br clear="all"><span class="m_5001920760894036064HOEnZb"><font color="#888888"><br></font></span></div></div><span class="m_5001920760894036064HOEnZb"><font color="#888888"><span class="m_5001920760894036064m_-5482981200732931473HOEnZb"><font color="#888888">-- <br><div dir="ltr" class="m_5001920760894036064m_-5482981200732931473m_-8752580009611113285gmail_signature" data-smartmail="gmail_signature">Bazsi</div>
</font></span><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></font></span></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>