Hi, in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser [2] and the default network network driver is using it. Maybe that could cause your issue. If this is the case, then we have another PR [3] which makes it possible to disable the auto-parse (also part of 3.13). Example: source s_network { default-network-drivers(auto-parse(no)); }; If it not solves your problem then could you share the relevant part of your config? [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1 [2] https://github.com/balabit/syslog-ng/pull/1689 [3] https://github.com/balabit/syslog-ng/pull/1788/ regards, Laszlo Budai On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik@ambrosch.com> wrote:
Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I noticed that some of my cisco devices started being logged in an undesirable format... I don't want to enable the cisco parser because more than just cisco messages get delivered to this interface. Here are the relevant fields that have changed before/after the upgrade:
syslog-ng 3.9, before upgrade --- ${FULLHOST}: "mydevice.com" ${PROGRAM}: "" message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for..."
syslog-ng 3.15, before upgrade --- ${FULLHOST}: ":" ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI" ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."
Is this unintended behavior or a bug? This particular device is a Cisco 3845 running ios 12.4(22)T4.
Thanks in advance.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq