Hi,
"Sandor Geller" <sandor.geller@ericsson.com> írta 2015-05-08 09:32-kor:
> Wow, it was really 'low resolution'. Zooming in showed that there isn't
> any kind of UDP packet fragmentation happening (not surprising, the
That's what, why I asked a pcap file.
It would required smaller attached file, and would gave us more info.
I found a new theory, based on: 1 pic ~= 1 Mword
1 pcap ~= 1000 pic!
> kernel would reassembele fragments transparently to syslog-ng) but the
> sender device actually splits the logs into multiple packets so
> syslog-ng does exactly what it should do. Yet another broken syslog
> implementation on Cisco's side :(
As basically all of their syslog implementation.
> I'm not aware of how such logs could get concatenated without writing an
> app which postprocesses the logs.
That's another thing, I asked a pcap file. I gave up.
Maybe there is a chance to do that with some patterndb magic, where we can
"process" and "correlate", etc.
Kind regards,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq