On Tue, Aug 20, 2002 at 08:31:08AM -0400, Stephen Frost wrote:
* Ted_Rule@flextech.co.uk (Ted_Rule@flextech.co.uk) wrote:
Does anyone on the list have experience of Cisco PIX TCP Syslog stream talking to syslog-ng?
Does anyone on the list have a good idea of the internal layout of the PIX TCP syslog stream - in particular how is the end of message encoded? ( Under UDP of course , EOM is implied by end of packet, but under TCP some explicit EOM marker would have(?) to be added to the stream. )
there was a short description of the PIX protocol on the syslog-sec mailing list. Here it is: # Sends on TCP port 1468 by default. # Can have multiple messages in a single packet. They don't appear to be seperated by any character. New message is identified by the <PRI> tag. # TCP connection is made once, and remains open indefinately. # If the connection is broken and not able to be re-established, the PIX will stop forwarding network traffic through it's interfaces. # PIX message format changes depending on timestamp settings on the PIX. I think there should be a newline after messages (otherwise it is not possible to identify <PRI> tags as it is perfectly legal to put <PRI> within the message itself. So if my assumption is true, this traffic can be fed into syslog-ng by using a TCP source: tcp s_pix { tcp(port(1468)); }; The timestamp settings might affect the way syslog-ng recognizes the stamp and hostname, but otherwise this should work. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1