Hi, This log line was received from Cisco device. I believe that the timestamp is not in acceptable format. Is there any way we can configure syslog-ng to accept timestamp of this form? Thanks Raghu On Tue, Apr 28, 2020 at 6:26 PM Nagy Gábor <gabor.hl@gmail.com> wrote:
Hi!
At first look it seems to me that your log message is not in RFC5424 [1] format, or in RFC3164 [2] format. You use syslog() source driver which expects these formats.
Do you receive log messages from other clients too (I guess if you have max-connections(500))? What device is the log source where messages are coming form?
Regards, Gabor
[1] https://tools.ietf.org/html/rfc5424 [2] https://tools.ietf.org/html/rfc3164
Raghunath Adhyapak <funduraghu@gmail.com> ezt írta (időpont: 2020. ápr. 28., K, 13:00):
Hello all,
I am receiving the following syslog line from one of devices.
<134>1 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 Mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
This line contains a version filed immediately following the priority, and then timestamp is in epoch format as against ISO8601 or other standard format.
I see the following error in syslog-ng log: [2020-04-28T10:46:15.340911] Outgoing message; message='Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53'
What could be the possible issue here?
My config is as follows:
##======================================== ######################## # Global options ######################## options {keep_hostname (yes); use_dns (no); mark-freq(30);}; ######################## # Sources ######################## source s_syslog { syslog( transport(udp) port(514) max-connections(500) ); }; ######################## # Destinations ######################## destination d_file { file("/var/log/dump.log"); }; ######################## # Log paths ######################## log { source(s_syslog); destination(d_file); flags(flow-control); }; ##========================================
If I check my file /var/log/dump.log, I see that the error line is getting written to it too.
root@ip-172-31-240-95:~# tail -f /var/log/dump.log | grep "Error processing" Apr 28 10:44:46 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53 Apr 28 10:46:15 ip-172-31-240-95 syslog-ng[27873]: Error processing log message: <134>1>@< 1588062776.725141502 C0493 flows allow src=10.0.31.145 dst=9.9.9.9 mac=F1:37:59:38:BA:F8 protocol=udp sport=50307 dport=53
Thanks Raghu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq