Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse out the headers of the message (like date/time, host, facility, etc), and if it cant figure out the format of the headers, it drops the message. The no-parse causes the entire message (headers and all if they exist) to get shoved into the message contents, and it generates new default headers. So source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); }; will become source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) flags('no-parse')); }; If the message does actually have headers, just syslog-ng cant understand them, you can use rewrite rules and 'set' statements to parse out the headers and set them manually. Sent: Thursday, March 25, 2010 5:31:15 PM From: d lists <dlists95@gmail.com> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
Hello,
After spending the afternoon trying to get this working, I've decided to reach out for some help (tried google - no luck!).
I have what I believe is a very simple syslog-ng configuration where I am trying to capture syslog events from Cisco routers via TCP. I first tested via UDP, and all works good. The router establishes a TCP connection with my syslog-ng (viewable via netstat -nap, and in the /var/log/messages):
Mar 25 17:07:53 logger syslog-ng[8943]: Syslog connection accepted; fd='11', client='AF_INET(X.X.X.254:56868)', local='AF_INET(X.X.X.5:2002)'
On the router I do a "config term" & "exit" to generate a log. tcpdump on the syslog-ng machine shows traffic as expected:
17:18:44.891080 IP X.X.X.254.61241 > 10.240.0.5.2002: . 3679441367:3679441450(83) ack 1811354960 win 4128 17:18:44.891134 IP X.X.X.5.2002> 10.240.0.254.61241: . ack 83 win 5840
And a strace:
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}, {fd=8, events=POLLIN}], 4, 456650) = 1 ([{fd=8, revents=POLLIN}]) gettimeofday({1269559238, 85688}, NULL) = 0 read(8, "<189>145: *Mar 25 23:41:37.033: "..., 7739) = 83 read(8, 0x9f94618, 7656) = -1 EAGAIN (Resource temporarily unavailable) gettimeofday({1269559238, 86032}, NULL) = 0 poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}, {fd=8, events=POLLIN}], 4, 449113
But nothing ever shows up in the log files! Here's my syslog-ng.conf. Any pointers or ideas?
@version: 3.0 options { use_dns(no); }; source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); }; source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" program_override("kernel: ")); }; destination d_messages { file("/var/log/messages"); }; destination d_cisco { file("/var/log/cisco.log"); }; log { source(t_net); destination(d_messages); }; log { source(s_local); destination(d_messages); };
And for what it is worth the relevant lines from my test cisco:
logging host X.X.X.5 transport tcp port 2002
And syslog-ng version:
syslog-ng 3.0.5 Installer-Version: 3.0.5 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#f2fd7457627a88eb9602a73a5c16cd8b2434b667 Compile-Date: Dec 7 2009 14:52:42 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: off
Thanks in advance! ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html