<div dir="ltr">Hi,<div><br></div><div>This log line was received from Cisco device.</div><div>I believe that the timestamp is not in acceptable format.</div><div>Is there any way we can configure syslog-ng to accept timestamp of this form?</div><div><br></div><div>Thanks</div><div>Raghu</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 28, 2020 at 6:26 PM Nagy Gábor <<a href="mailto:gabor.hl@gmail.com">gabor.hl@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi!<br><br></div><div>At first look it seems to me that your log message is not in RFC5424 [1] format, or in RFC3164 [2] format.<br></div><div>You use syslog() source driver which expects these formats.<br><br></div><div>Do you receive log messages from other clients too (I guess if you have max-connections(500))?<br></div><div>What device is the log source where messages are coming form?<br></div><div><br></div><div>Regards,</div><div>Gabor<br></div><div><br></div><div>[1] <a href="https://tools.ietf.org/html/rfc5424" target="_blank">https://tools.ietf.org/html/rfc5424</a><br>[2] <a href="https://tools.ietf.org/html/rfc3164" target="_blank">https://tools.ietf.org/html/rfc3164</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" target="_blank">funduraghu@gmail.com</a>> ezt írta (időpont: 2020. ápr. 28., K, 13:00):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello all,</div><div><br></div><div>I am receiving the following syslog line from one of devices.</div><div><br></div><div dir="ltr"><134>1 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 Mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53<br></div><div dir="ltr"><br></div><div>This line contains a version filed immediately following the priority, and then timestamp is in epoch format as against ISO8601 or other standard format.</div><div><br></div><div>I see the following error in syslog-ng log:</div><div>[2020-04-28T10:46:15.340911] Outgoing message; message='Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53'<br></div><div><br></div><div>What could be the possible issue here?</div><div><br></div><div>My config is as follows:</div><div><br></div><div><div>##========================================</div><div>########################</div><div># Global options</div><div>########################</div><div>options {keep_hostname (yes); use_dns (no); mark-freq(30);};</div><div>########################</div><div># Sources</div><div>########################</div><div>source s_syslog {</div><div> syslog(</div><div> transport(udp)</div><div> port(514)</div><div> max-connections(500)</div><div> );</div><div>};</div></div><div><div>########################</div><div># Destinations</div><div>########################</div><div>destination d_file {<br></div><div> file("/var/log/dump.log");</div><div>};</div></div><div><div>########################</div><div># Log paths</div><div>########################</div><div>log {</div><div> source(s_syslog);</div><div> destination(d_file);</div><div> flags(flow-control);</div><div>};</div><div>##========================================</div></div><div><br></div><div>If I check my file /var/log/dump.log, I see that the error line is getting written to it too.</div><div><br></div><div><div>root@ip-172-31-240-95:~# tail -f /var/log/dump.log | grep "Error processing"</div><div>Apr 28 10:44:46 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53</div><div>Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53</div></div><div><br></div><div>Thanks</div><div>Raghu</div></div></div></div></div></div></div></div></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>