unsubscribe On Fri, May 8, 2015 at 1:37 AM, PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Sandor Geller" <sandor.geller@ericsson.com> írta 2015-05-08 09:32-kor:
Wow, it was really 'low resolution'. Zooming in showed that there isn't any kind of UDP packet fragmentation happening (not surprising, the
That's what, why I asked a pcap file. It would required smaller attached file, and would gave us more info. I found a new theory, based on: 1 pic ~= 1 Mword 1 pcap ~= 1000 pic!
kernel would reassembele fragments transparently to syslog-ng) but the sender device actually splits the logs into multiple packets so syslog-ng does exactly what it should do. Yet another broken syslog implementation on Cisco's side :(
As basically all of their syslog implementation.
I'm not aware of how such logs could get concatenated without writing an app which postprocesses the logs.
That's another thing, I asked a pcap file. I gave up. Maybe there is a chance to do that with some patterndb magic, where we can "process" and "correlate", etc.
Kind regards, Gyu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- *Nullius In Verba*