Problems with Netscreen log entries
Running sylog-ng 1.6.4 on Solaris 9 Log entries from my UNIX devices log fine. Log entries from my Netscreen devices seem to be missing the end of line terminator, as the entries run together in the log file. The default syslog daemon was able to handle these entries fine. Any ideas on how to fix this? The options in the syslog-ng.conf file are: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; Thanks -- Paul Mindeman BTInet Systems Administrator 701-355-5587 mindeman@btinet.net
On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote:
Running sylog-ng 1.6.4 on Solaris 9
Log entries from my UNIX devices log fine. Log entries from my Netscreen devices seem to be missing the end of line terminator, as the entries run together in the log file. The default syslog daemon was able to handle these entries fine. Any ideas on how to fix this?
The options in the syslog-ng.conf file are:
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
Can you give me an tcpdump snippet to see how a netscreen log message is formatted? Please make sure that you snap the complete packet (-s option). tcpdump -xXpeni ethX port 514 and udp should do the trick. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Bazsi, Balazs Scheidler wrote:
On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote:
Running sylog-ng 1.6.4 on Solaris 9
Log entries from my UNIX devices log fine. Log entries from my Netscreen devices seem to be missing the end of line terminator, as the entries run together in the log file. The default syslog daemon was able to handle these entries fine. Any ideas on how to fix this?
The options in the syslog-ng.conf file are:
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
Can you give me an tcpdump snippet to see how a netscreen log message is formatted? Please make sure that you snap the complete packet (-s option).
tcpdump -xXpeni ethX port 514 and udp
should do the trick.
I'm seeing the same problem as listed above, but did not see a solution posted. I've included a tcpdump listing of a sample packet below. All packets seem to be null terminated, but do not contain a newline. The sending device is a Netscreen ISG2000 and the receiver is syslog-ng 1.6.3 running on Red Hat Linux Advanced Server release 2.1AS. If the logs are sent from the ISG to a FreeBSD host running standard syslog, and then forwarded from there to the syslog-ng host, a newline is present in the logs on both servers. Any thoughts? Phil 11:04:03.044944 IP 10.40.44.3.2148 > 10.224.8.2.syslog: UDP, length 146 0x0000: 00d0 b7a8 8008 0010 db86 5e80 0800 4500 ..........^...E. 0x0010: 00ae 07b9 0000 4011 297a 0a28 2c03 0ae0 ......@.)z.(,... 0x0020: 0802 0864 0202 009a 8108 3c31 3636 3e67 ...d......<166>g 0x0030: 702d 6564 6765 2d66 773a 204e 6574 5363 p-edge-fw:.NetSc 0x0040: 7265 656e 2064 6576 6963 655f 6964 3d67 reen.device_id=g 0x0050: 702d 6564 6765 2d66 7720 205b 526f 6f74 p-edge-fw..[Root 0x0060: 5d73 7973 7465 6d2d 696e 666f 726d 6174 ]system-informat 0x0070: 696f 6e2d 3030 3736 373a 204c 6f63 6b20 ion-00767:.Lock. 0x0080: 636f 6e66 6967 7572 6174 696f 6e20 656e configuration.en 0x0090: 6465 6420 6279 2074 6173 6b20 7373 682d ded.by.task.ssh- 0x00a0: 636d 643a 3820 2832 3030 352d 3031 2d30 cmd:8.(2005-01-0 0x00b0: 3420 3131 3a30 343a 3033 2900 4.11:04:03).
participants (3)
-
Balazs Scheidler
-
Paul Mindeman
-
Philip Webster