Re: [syslog-ng] TCP recv bug in syslog-ng v2.09?

If I recall correctly its because cisco equipment doesnt terminate its log entries with newlines, so when sending via TCP, syslog-ng thinks the message is going to be continued in another packet (UDP is assumed to be 1 packet per log entry). The only way to fix this is an ugly hack to set the timeout so that when it doesnt get a reply within a certain time, it assumes the log entry ended. but if several log entries are sent within the timeout, then they'll all be mashed together into 1 syslog-ng entry. Sent: Tuesday, August 17, 2010 12:28:28 PM From: Clayton Dukes <cdukes@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] TCP recv bug in syslog-ng v2.09?

Hey guys, Are there any known bugs for syslog-ng v2.09 that won't allow a cisco router to send logs over tcp? I can see a connection established in syslog-ng. I also see the message come in via tcpdump, but nothing in syslog-ng's output. If I change the router from tcp to udp, messages come in as expected.

*Router config:*

logging source-interface Loopback0 logging 172.18.224.150 <tricon:40,-1%7C172.18.224.150;majoshi@cisco.com> logging host 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi@cisco.com> transport tcp

*syslog-ng config:*

source s_all { udp(); tcp(ip(11.31.130.99) port(8002) max-connections(300)); tcp(ip(172.18.224.190) port(601) max-connections(300)); };

*debug output:* I commented out the line above for the other interface (11.31.130.99), restarted and this is all I see: Syslog connection accepted; from='AF_INET(14.3.23.50 <tricon:40,-1%7C%2814.3.23.50;majoshi@cisco.com>:63845)', to='AF_INET(172.18.224.190 <tricon:40,-1%7C%28172.18.224.190;majoshi@cisco.com>:601)'

*tcpdump:*

14:13:46.914566 IP (tos 0x0, ttl 251, id 4303, offset 0, flags [none], proto TCP (6), length 134) 14.3.23.50.63845 > xxx.com.601: Flags [.], seq 230:324, ack 1, win 4128, length 94

*Router debug:*

*Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:19.772 <tricon:40,-1%7C.772;majoshi@cisco.com>: %SYS-5- <tricon:40,-1%7C-5-;majoshi@cisco.com>CONFIG_I: Configured from console by pnoc on vty0 (172.18.224.151) <tricon:40,-1%7C0%20%28172.18.224.151%29;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:20.776 <tricon:40,-1%7C.776;majoshi@cisco.com>: Released port 15205 <tricon:40,-1%7C15205;majoshi@cisco.com> in Transport Port Agent for TCP IP type 1 delay 240000 <tricon:40,-1%7C240000;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:20.776 <tricon:40,-1%7C.776;majoshi@cisco.com>: TCB 0x850 <tricon:40,-1%7C850;majoshi@cisco.com>F9754 <tricon:40,-1%7C9754;majoshi@cisco.com> destroyed *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 created *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 setting property TCP_PID (8) 845083 <tricon:40,-1%7C%288%29%20845083;majoshi@cisco.com>E4 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 setting property TCP_NO_DELAY (1) 845083 <tricon:40,-1%7C%281%29%20845083;majoshi@cisco.com>E8 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 setting property TCP keepalive timeout (17) 845084 <tricon:40,-1%7C%2817%29%20845084;majoshi@cisco.com>A0 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCP: Random local port generated 63845 <tricon:40,-1%7C63845;majoshi@cisco.com>, network 1 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 bound to 14.3.23.50.63845 <tricon:40,-1%7C14.3.23.50.63845;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: Reserved port 63845 <tricon:40,-1%7C63845;majoshi@cisco.com> in Transport Port Agent for TCP IP type 1 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCP: sending SYN, seq 3300233565 <tricon:40,-1%7C3300233565;majoshi@cisco.com>, ack 0 *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCP0: Connection to 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi@cisco.com>:601, advertising MSS 536 <tricon:40,-1%7C536;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.775 <tricon:40,-1%7C.775;majoshi@cisco.com>: TCP0: state was CLOSED -> SYNSENT [63845 - <tricon:40,-1%7C63845%20-;majoshi@cisco.com>> 172.18.224.190(601) <tricon:40,-1%7C172.18.224.190%28601%29;majoshi@cisco.com>] *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.779 <tricon:40,-1%7C.779;majoshi@cisco.com>: TCP0: state was SYNSENT -> ESTAB [63845 - <tricon:40,-1%7C63845%20-;majoshi@cisco.com>> 172.18.224.190(601) <tricon:40,-1%7C172.18.224.190%28601%29;majoshi@cisco.com>] *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.779 <tricon:40,-1%7C.779;majoshi@cisco.com>: TCP: tcb 83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 connection to 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi@cisco.com>:601, peer MSS 1460 <tricon:40,-1%7C1460;majoshi@cisco.com>, MSS is 536 <tricon:40,-1%7C536;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.779 <tricon:40,-1%7C.779;majoshi@cisco.com>: TCB83648 <tricon:40,-1%7C83648;majoshi@cisco.com>E60 connected to 172.18.224.190.601 <tricon:40,-1%7C172.18.224.190.601;majoshi@cisco.com> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi@cisco.com>:34:25.779 <tricon:40,-1%7C.779;majoshi@cisco.com>: %SYS-6- <tricon:40,-1%7C-6-;majoshi@cisco.com>LOGGINGHOST_STARTSTOP: Logging to host 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi@cisco.com> port 601 <tricon:40,-1%7C601;majoshi@cisco.com> started - reconnection

______________________________________________________________

Clayton Dukes ______________________________________________________________ ------------------------------------------------------------------------

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html