Is there a setting to use the new syslog format RFC? I wonder if that could be creating issues? On 6/30/10 5:49 PM, bugzilla@bugzilla.balabit.com wrote:
https://bugzilla.balabit.com/show_bug.cgi?id=91
Summary: Cisco ASA log parsing issues Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: jon@jonjames.net Type of the Report: bug Estimated Hours: 0.0
Orignal LOG as seen my TCPDUMP
16:42:08.734684 IP 172.16.32.157.syslog> 172.16.32.172.syslog: SYSLOG local4.notice, length: 95 E..{.......^.. ... ......g<.<165>Jul 01 2010 00:32:59: %ASA-5-111001: Begin configuration: 172.16.16.154 writing to memory
After being relayed as seen my TCPDUMP
16:42:59.208826 IP 172.16.32.172.33753> 172.16.32.225.syslog: SYSLOG local4.notice, length: 120 E...a.@.@.?... ... ........?<165>1 2010-07-01T00:33:50-04:00 172.16.32.157 %ASA-5-111001 - - - Begin configuration: 172.16.16.154 writing to memory
As you can see, syslog-ng appears to be messing with the datestamp and therefore the RSA envision device I'm relaying to does not recognize the log as being from a cisco asa.
Is there a way to update the log parser in syslog to resolve this issue ?
syslog-ng.conf (parts)
@version: 3.0
options { time_sleep(30); time_reap(30); mark_freq(30); dns_cache(yes); use_fqdn(no); keep_hostname(yes); chain_hostnames(no); use_dns(no); dns_cache_size(250000); dns_cache_expire(300); dns_cache_expire_failed(300); stats_freq(3600); log_msg_size(10000); };
source s_extranet { udp(ip("172.16.32.172") port(514)); };
log { source(s_extranet); destination(d_syslog_udp); };
destination d_syslog_udp { syslog("172.16.32.225" transport("udp") port(514)); };