Can the cisco use UDP? If so syslog-ng might consider each packet to be a complete message (since its connectionless) and flush it out. Try turning the keep-alive off as well. If the cisco is trying to close the connection after each message, that could also force it to flush. Just guesses at this point though. Sent: Thursday, March 25, 2010 8:31:54 PM From: d lists <dlists95@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] 3.0.5 & Cisco TCP problems
On Thu, Mar 25, 2010 at 6:59 PM, Patrick H. <syslogng@feystorm.net> wrote:
Try adding the 'no-parse' flag to the source. Syslog-ng tries to parse out the headers of the message (like date/time, host, facility, etc), and if it cant figure out the format of the headers, it drops the message. The no-parse causes the entire message (headers and all if they exist) to get shoved into the message contents, and it generates new default headers.
So source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); }; will become source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) flags('no-parse')); };
Tried that, no change. I've discovered what I think the problem is though: The cisco isn't including a LF at the end of each syslog message. If I force the router to send enough messages, a buffer must fill up & I get all the messages at once in a very unreadable format:
Mar 25 20:28:20 10.240.0.254 <189>461: *Mar 26 02:45:22.244: %SYS-5-CONFIG_I: Configured from console by console<190>462: *Mar 26 02:45:28.244: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.240.0.5 port 2002 started - reconnection<189>463: *Mar 26 02:45:35.336: %SYS-5-CONFIG_I: Configured from console by console<189>464: *Mar 26 02:45:35.352: %SYS-5-CONFIG_I: Configured from console by console<189>465: *Mar 26 02:45:35.372: %SYS-5-CONFIG_I: Configured from console by console<189>...(repeat another 50 times at least)
I found a thread for another piece of syslog software that encountered the same issue:
http://www.gossamer-threads.com/lists/rsyslog/users/1204
I take it from the lack of people noticing this that there aren't too many people using TCP to gather syslog from Cisco routers. If anyone has some suggestions on possible solutions (outside of opening a TAC case with cisco - which I plan on doing), I am all ears.
Thanks for the quick response! Time to read some more documentation.
If the message does actually have headers, just syslog-ng cant understand them, you can use rewrite rules and 'set' statements to parse out the headers and set them manually.
Sent: Thursday, March 25, 2010 5:31:15 PM From: d lists <dlists95@gmail.com> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] 3.0.5 & Cisco TCP problems
Hello,
After spending the afternoon trying to get this working, I've decided to reach out for some help (tried google - no luck!).
<snip> ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html