We are running syslog-ng, open source edition, version 3.22.1, on RedHat Enterprise version 7.8. Among many other data sources, we receive syslog data from an F5 device that acts as a VPN server. One type of message that it sends us is consistently not making it into the log (though everything else, to my knowledge, does.)  I wonder if anyone sees something wrong with the message that would prevent its being parsed/stored.

 

The message (reconstructed from a packet capture, identification fields redacted or changed):

 

<141>1 2020-08-04T08:10:58.769127-05:00 <fqdn here> apmd 12374 01490113:5:

[F5@12276 hostname="fqdn" errdefs_msgno="01490113:5:"

partition_name="Common" session_id="1c95e1e7" Access_Profile="/Common/blah"

Partition="Common" Session_Id="1c95e1e6"

Session_Variable_Name="session.machine_info.last.net_adapter.list.[0].mac_address"

Session_Variable_Value="3C:D9:2B:33:9A:8E"]

/Common/<blah>:Common:1c95e1e6: session.machine_info.last.net_adapter.list.[0].mac_address is 3C:D9:2B:33:9A:8E

 

I inserted the line breaks to help Outlook. Note that although the message appears to be RFC5424-compliant I have discovered that it does not have whatever magic headers let syslog-ng handle it as structured data transparently. As a result, I cannot use the “syslog” transport but have to use the generic “network” transport and then use flags “syslog-protocol”. This works OK for everything else from this source.

 

The message doesn’t appear in our syslog logs at all. It’s consistent.

 

The relevant parts of the syslog-ng configuration look like:

 

options {

        ts_format(iso);   

        use_dns(yes);

        dns_cache(1000);

        dns_cache_expire(30);

        use_fqdn(yes);

        keep_hostname(no); 

        chain-hostnames(no);

        keep_timestamp(yes);       

        stats_level(1);            

        stats_freq(3600);          

        normalize_hostnames(yes);

        log_fifo_size(10000);   

        flush_lines(1000);      

        log-msg-size(65536);

        trim-large-messages(yes);

        threaded(yes);      

        time_reap(10);  

        create_dirs(yes);

        dir_group(esmapp);

        dir_owner(esmapp);

        group(esmapp);

        owner(esmapp);

        perm(0644);

};

 

source s_F5VPN_source {

    network(

        transport("tcp")

        ip(0.0.0.0)

        port(11000)

        keep-timestamp(yes)

        flags(no-multi-line,syslog-protocol)

        max-connections(50)

        log_iw_size(10000)

        log-fetch-limit(20)

    );

};

 

filter f_F5VPN_client { netmask(<blah>) and facility(local1);   };

 

destination d_F5VPN_client {

    file(

        "/home/syslog/F5VPN_client.log"

        ts_format(rfc3164)

    );

};

 

log {

    source(s_F5VPN_source);

    filter(f_F5VPN_client);

    destination(d_F5VPN_client);

    flags(flow-control);

};

 

Regards,

Jon

 

Jon Wilson | Principal System Engineer, IT Service Management | Information Technology | Vanderbilt University Medical Center 
jonathan.wilson@vumc.org | phone: 615-440-7895 | fax: 615-323-2181