* Ted_Rule@flextech.co.uk (Ted_Rule@flextech.co.uk) wrote:
I have a little problem with a PIX using UDP syslog to an old syslogd server, which I'm hoping members of the list may be able to assist me with.
Havn't played with PIX firewalls in a while but I may be able to convince someone here to let me play with one and logging.
Does anyone on the list have experience of Cisco PIX TCP Syslog stream talking to syslog-ng?
Does anyone on the list have a good idea of the internal layout of the PIX TCP syslog stream - in particular how is the end of message encoded? ( Under UDP of course , EOM is implied by end of packet, but under TCP some explicit EOM marker would have(?) to be added to the stream. )
Having looked at the syslog-ng code for dealing with this stuff (had to because of the /proc/kmsg log problems I've had under Linux) it would appear that in general either a newline or a '\0' denotes the end of a log message. Since there's no 'EOM' in either TCP connections or files/pipes/etc I believe they all behave in basically the same manner. So your perl code should check for those two conditions I think.
Would anyone be able to send me some tcpdumps or similar for me to decode the format so that I could generate some test data to fire at the listener?
I may be able to, we'll have to see. Just as a side-note I guess, I think your perl idea is really not-so-good. :) Personally I would strongly encourage you to either move to syslog-ng outright or, if you're really worried, just run both syslog-ng and syslogd and have syslog-ng *only* listen on TCP and have some very, very simple/stupid config file that just takes stuff coming in and dumps it to a file. I kind of see that as the 'best of both worlds' solution to get you started at least and then slowly migrate things over to syslog-ng till eventually you can phase out the old syslog entirely. Stephen