I changed my source from udp(ip(0.0.0.0) port(514)) to udp(ip(0.0.0.0) port(514) flags(no-parse)) with no other changes. The log entries now are slightly different: there's a <###> term, so they appear as Oct 30 13:42:55 juniper-router <150>{wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.4.12:1064 -> 74.125.165.164:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat and the match(FWNAT) no longer works at all. MJB HÖLTZL Péter wrote:
Dear Mick,
I have a log message that appears in my logfiles as
Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat
It seems junper do not send valid RFC3164 message (wrong program/pid field). In addition syslog-ng do not handle it coccetly (which could be a bug) that is why the message do not appears in the any macros (my default the message should be in MSG or MSGONLY. Pleas try to use the no-parse flag at the source driver which reads incoming syslog messages. I hope it helps. For further see info see this:
http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s01.htm...
search for the word no-parse and pleas sen us the result!
Best wishes,
Peter
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html