Cisco ASA logging to syslog-ng and a weird extra-characters in new-lines
Hi all, I have a syslog-ng server: rpm -qi syslog-ng Name : syslog-ng Relocations: (not relocatable) Version : 3.2.5 Vendor: Fedora Project Release : 3.el6 Build Date: Sun 15 Jan 2012 07:49:04 PM GMT Install Date: Wed 06 Mar 2013 03:56:17 PM GMT Build Host: x86-14.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-3.2.5-3.el6.src.rpm Size : 1594638 License: GPLv2+ Signature : RSA/8, Sun 15 Jan 2012 08:55:15 PM GMT, Key ID 3b49df2a0608b895 The syslog-ng package installed is built and distributed by Fedora EPEL but I was hoping I could post here. I replaced a old syslog-ng 2.x server to this one and almost everything works as expected (there is always this one thing that does not work after a migration:). There is a Cisco ASA box logging to this server. For some records I get this extra space in a new-line like this: Aug 16 15:35:56 10.X.X.X %ASA-6-302021: Teardown ICMP connection for faddr 10.X.X.X/9483 gaddr 10.X.X.X/0 laddr 10.X.X.X/0 Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 46.X.X.X:/ < Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 92.X.X.X:http://sphotos-g.ak.fbcdn.net/hphotos-X/XxX/11X_221X18801_1X554_n.jpg Aug 16 15:35:56 10.X.X.X %ASA-6-305011: Built dynamic TCP translation from inside:10.X.X.X/38697 to outside:194.X.X.X/38697 (the < char is in a new-line) And another one: Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302013: Built outbound TCP connection 1809896329 for outside:54.Z.Z.Z/80 (54.Z.Z.Z/80) to inside:10.Z.Z.Z/38684 (194.Z.Z.Z/38684) Aug 16 15:35:56 10.Z.Z.Z %ASA-5-304001: 10.Z.Z.Z Accessed URL 10.Z.Z.Z:/ 1 Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302014: Teardown TCP connection 1809896328 for dmz-lb-int:10.Z.Z.Z/58759 to inside:10.Z.Z.Z/80 duration 0:00:00 bytes 162 TCP FINs (the single 1 char is in a new-line). Does someone know if this is a known bug ? I am aware that I am running a somewhat old version. Bgrds, Finnzi
On Fri, 16 Aug 2013 15:43:45 +0000 (GMT), "Finnur Orn Gudmundsson" <finnzi@finnzi.com> wrote:
Hi all,
I have a syslog-ng server: rpm -qi syslog-ng Name : syslog-ng Relocations: (not relocatable) Version : 3.2.5 Vendor: Fedora Project Release : 3.el6 Build Date: Sun 15 Jan 2012 07:49:04 PM GMT Install Date: Wed 06 Mar 2013 03:56:17 PM GMT Build Host: x86-14.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: syslog-ng-3.2.5-3.el6.src.rpm Size : 1594638 License: GPLv2+ Signature : RSA/8, Sun 15 Jan 2012 08:55:15 PM GMT, Key ID 3b49df2a0608b895
The syslog-ng package installed is built and distributed by Fedora EPEL but I was hoping I could post here.
I replaced a old syslog-ng 2.x server to this one and almost everything works as expected (there is always this one thing that does not work after a migration:).
There is a Cisco ASA box logging to this server.
For some records I get this extra space in a new-line like this: Aug 16 15:35:56 10.X.X.X %ASA-6-302021: Teardown ICMP connection for faddr 10.X.X.X/9483 gaddr 10.X.X.X/0 laddr 10.X.X.X/0 Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 46.X.X.X:/ < Aug 16 15:35:56 10.X.X.X %ASA-5-304001: 10.X.X.X Accessed URL 92.X.X.X:http://sphotos-g.ak.fbcdn.net/hphotos-X/XxX/11X_221X18801_1X554_n.jpg Aug 16 15:35:56 10.X.X.X %ASA-6-305011: Built dynamic TCP translation from inside:10.X.X.X/38697 to outside:194.X.X.X/38697
(the < char is in a new-line)
And another one:
Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302013: Built outbound TCP connection 1809896329 for outside:54.Z.Z.Z/80 (54.Z.Z.Z/80) to inside:10.Z.Z.Z/38684 (194.Z.Z.Z/38684) Aug 16 15:35:56 10.Z.Z.Z %ASA-5-304001: 10.Z.Z.Z Accessed URL 10.Z.Z.Z:/ 1 Aug 16 15:35:56 10.Z.Z.Z %ASA-6-302014: Teardown TCP connection 1809896328 for dmz-lb-int:10.Z.Z.Z/58759 to inside:10.Z.Z.Z/80 duration 0:00:00 bytes 162 TCP FINs
(the single 1 char is in a new-line).
Does someone know if this is a known bug ? I am aware that I am running a somewhat old version.
Bgrds, Finnzi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi all, I think I found the fix. Shortly after I posted this a college noticed that on the old server where this did not happen this character was always after a tab. The option flags(no-multi-line) in the destination line fixed this. All hail king Google ! Bgrds, Finnzi
participants (1)
-
Finnur Orn Gudmundsson