I have the following diagram between some PE and Syslog-ng:
Cisco devices -> Syslog-ng (running on Solaris)
Syslog-ng version:
o NTPSYSLOG# syslog-ng -V
o syslog-ng 3.0.4
o Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10
o Compile-Date: Sep 2 2009 06:15:53
o Enable-Threads: off
o Enable-Debug: off
o Enable-GProf: off
o Enable-Memtrace: off
o Enable-Sun-STREAMS: on
o Enable-Sun-Door: on
o Enable-IPv6: on
o Enable-Spoof-Source: on
o Enable-TCP-Wrapper: off
o Enable-SSL: on
o Enable-SQL: off
o Enable-Linux-Caps: off
o Enable-Pcre: on
One of the cisco devices sends a particular log line that is splited in two lines (there is a line-break in between):
Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
received in update for prefix XXXX:XXXX:XXX.XXX.XXX.X/XXX from X.X.X.X
When the log reaches the Syslog-ng on Solaris server, it is logged like this:
Mar 13 10:33:14 PE06PVAL01 1182434: Mar 13 10:33:13: %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
Mar 13 10:33:14 PE06PVAL01 1182435: received in update for prefix XXXX:XXXX:XXX.XXX.XXX.X/XXX from X.X.X.X
The log is transfered by UDP from the cisco device to the Solaris server (where the syslog-ng runs). This is the configuration used in syslog-ng:
ntpsyslog> more /etc/syslog-ng/syslog-ng.conf
@version: 3.0
#
# syslog-ng configuration file.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
stats_freq (0);
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames(off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
perm(0640);
};
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); udp(flags("no-multi-line")); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/messages"); };
destination d_mail { file("/var/log/syslog"); };
destination d_auth { file("/var/log/authlog"); };
destination d_mlop { usertty("operator"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };
destination cisco { file("/respaldo/syslog/cisco/cisco.log"); };
#----------------------------------------------------------------------
# Forward to a nisip server
#
destination cnc-cisco { udp("X.X.X.X" port(X)); };
#----------------------------------------------------------------------
filter f_filter1 { level(err) or
(level(notice) and facility (auth, kern)); };
filter f_filter2 { level(err) or
(facility(kern) and level(notice)) or
(facility(daemon) and level(notice)) or
(facility(mail) and level(crit)); };
filter f_filter3 { level(alert) or
(facility(kern) and level(err)) or
(facility(daemon) and level(err)); };
filter f_filter4 { level(alert); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(kern) and level(notice); };
filter f_filter7 { facility(mail) and level(debug); };
#filter f_filter10 { level(alert); };
filter f_filter9 { facility(user) and level(alert); };
filter f_cisco { facility(local2); };
# Alternativa
log { source(s_sys_cisco); filter(f_cisco); destination(cisco); };
# Alternativa
source s_juniper { file("/respaldo/syslog/juniper/juniper.log"); };
destination d_juniper_tcp { tcp("X.X.X.X" port(X)); };
filter f_juniper_tcp {not match("TOPO|/kernel:|snmpd|trace_*|PING_*|BGP_*|bgp_*|repeated|task|task_connect|EVENT|received iff message|rshd|cron" value("MESSAGE
")); };
log { source(s_juniper); filter(f_juniper_tcp); destination(d_juniper_tcp); };
source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };
destination d_cisco_tcp { tcp("X.X.X.X" port(X)); };
log { source(s_cisco); destination(d_cisco_tcp); };
##################################
# FWD from Syslog to CNC Cisco
##################################
source s_cisco { file("/respaldo/syslog/cisco/cisco.log"); };
log {source(s_cisco); destination(cnc-cisco); };
ntpsyslog>
I have tried different configurations in order to make the "no-multi-line" flag work. However, none of them have worked:
destination cisco { file("/respaldo/syslog/cisco/cisco.log" flags(no-multi-line)); };
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); udp(flags("no-multi-line")); };
If more information is required, please do not hesitate to ask for it.
Thank you beforehand for your help.
Alan Sam