Hi,

in syslog-ng OSE 3.13 [1] we introduced a new feature, called app-parser [2] and the default network network driver is using it.

Maybe that could cause your issue. If this is the case, then we have another PR [3] which makes it possible to disable the auto-parse (also part of 3.13).

Example:

source s_network {
default-network-drivers(auto-parse(no));
};

If it not solves your problem then could you share the relevant part of your config?

[1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.13.1

[2] https://github.com/balabit/syslog-ng/pull/1689

[3] https://github.com/balabit/syslog-ng/pull/1788/

regards,

Laszlo Budai

On Fri, Sep 7, 2018 at 6:00 PM, Nik Ambrosch <nik@ambrosch.com> wrote:

Recently I upgraded my centralized loghost from 3.9 -> 3.15 and I noticed that some of my cisco devices started being logged in an undesirable format... I don't want to enable the cisco parser because more than just cisco messages get delivered to this interface. Here are the relevant fields that have changed before/after the upgrade:

syslog-ng 3.9, before upgrade ---
    ${FULLHOST}: "mydevice.com"
    ${PROGRAM}: ""
    message: "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for..."

syslog-ng 3.15, before upgrade ---
    ${FULLHOST}: ":"
    ${PROGRAM}: "%CRYPTO-4-RECVD_PKT_INV_SPI"
    ${MSG}: "decaps: rec'd IPSEC packet has invalid spi for..."

Is this unintended behavior or a bug? This particular device is a Cisco 3845 running ios 12.4(22)T4.

Thanks in advance.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq