Syslog-ng seems to be not parsing correctly if the PROGRAM macro parsing fails.
Hello all. I am using syslog-ng v 2.0.5. However, I am gathering logs from the cisco catalyst switches, but when I tried to use the PROGRAM macro it seems not be working properly. In Cisco switches , there seems to be messages that program is not included in the message that is sent from the device. I would like to know how does syslog-ng parses the messages that does not have the PROGRAM name included and what would happen if we use the PROGRAM macro for these message. Following is the proper message: Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console **** There are logs that does not have this part. Regards, Yu Watanabe
On Mon, 2009-07-27 at 14:14 +0900, Yu Watanabe wrote:
Hello all.
I am using syslog-ng v 2.0.5.
However, I am gathering logs from the cisco catalyst switches, but when I tried to use the PROGRAM macro it seems not be working properly.
In Cisco switches , there seems to be messages that program is not included in the message that is sent from the device.
I would like to know how does syslog-ng parses the messages that does not have the PROGRAM name included and what would happen if we use the PROGRAM macro for these message.
Following is the proper message:
Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console **** There are logs that does not have this part.
TO : Mr.Panel Hello Vincent. Thank you for the reply. I understand that the non BSD-syslog date format log comes into syslog-ng , it does not operate properly. Could I ask you three questions about this syslog message? It would be a great help if you could afford time answering with these questions. 1. I would like to confirm my thought about this. More specifically, I saw the packet using tshark. And, in the "Message:" area, the properly handled packet always has the process id in its beginning. Like , "128: Jun 09 2009 16:30:19: %SYS-5-CONFIG_I: Configured from console by console" And , no matter what kind of date format was included in the message it was properly parsed in syslog-ng. I thought the reason why it was not parsed correcly, was whether the process id had existed or not in the packet. Am I on the wrong point? I apologize if I was giving a wrong opinion. 2. Just want to confirm if syslog-ng stops processing the destination driver process, whenever it goes messy with the PROGRAM macro? 3. So for now , to escape from syslog-ng being inproper, should I not use the PROGRAM macro? Best Regards, Yu Watanabe Vincent Panel さんは書きました:
On Mon, 2009-07-27 at 14:14 +0900, Yu Watanabe wrote:
Hello all.
I am using syslog-ng v 2.0.5.
However, I am gathering logs from the cisco catalyst switches, but when I tried to use the PROGRAM macro it seems not be working properly.
In Cisco switches , there seems to be messages that program is not included in the message that is sent from the device.
I would like to know how does syslog-ng parses the messages that does not have the PROGRAM name included and what would happen if we use the PROGRAM macro for these message.
Following is the proper message:
Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console **** There are logs that does not have this part.
See https://bugzilla.balabit.com/show_bug.cgi?id=40
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Mon, 2009-07-27 at 20:01 +0900, Yu Watanabe wrote:
Vincent Panel さんは書きました:
On Mon, 2009-07-27 at 14:14 +0900, Yu Watanabe wrote:
Hello all.
I am using syslog-ng v 2.0.5.
However, I am gathering logs from the cisco catalyst switches, but when I tried to use the PROGRAM macro it seems not be working properly.
In Cisco switches , there seems to be messages that program is not included in the message that is sent from the device.
I would like to know how does syslog-ng parses the messages that does not have the PROGRAM name included and what would happen if we use the PROGRAM macro for these message.
Following is the proper message:
Jul 27 13:17:11 l2swtich 128: %SYS-5-CONFIG_I: Configured from console by console **** There are logs that does not have this part.
I understand that the non BSD-syslog date format log comes into syslog-ng , it does not operate properly.
Well, your problem is not exactly the same as mine, but it was just to stress out that Cisco devices ususally do not send syslog messages in an appropriate RFC-compliant format.
Could I ask you three questions about this syslog message? It would be a great help if you could afford time answering with these questions.
1. I would like to confirm my thought about this. More specifically, I saw the packet using tshark. And, in the "Message:" area, the properly handled packet always has the process id in its beginning.
Like , "128: Jun 09 2009 16:30:19: %SYS-5-CONFIG_I: Configured from console by console" And , no matter what kind of date format was included in the message it was properly parsed in syslog-ng.
In your first mail, the format was : MM DD HH:mm:ss HOSTNAME PROGRAM: %MSGID: CONTENT Now, it is : PROGRAM: MM DD YYYY HH:mm:ss: %MSGID: CONTENT I have also seen : MM DD YYYY HH:mm:ss %MSGID: CONTENT And : MM DD YYYY HH:mm:ss HOSTNAME %MSGID: CONTENT So, it's difficult for syslog-ng to parse headers correctly because no one follows the same convention... I wish syslog-ng allowed the user to specify the format of the header that could be received.
I thought the reason why it was not parsed correcly, was whether the process id had existed or not in the packet. Am I on the wrong point? I apologize if I was giving a wrong opinion.
2. Just want to confirm if syslog-ng stops processing the destination driver process, whenever it goes messy with the PROGRAM macro?
3. So for now , to escape from syslog-ng being inproper, should I not use the PROGRAM macro?
I can't tell you, sorry... I'm not developing syslog-ng and have never used the PROGRAM macro.
Hi, 2009/7/27 Yu Watanabe <yu.watanabe@jp.fujitsu.com>:
TO : Mr.Panel
Hello Vincent.
Thank you for the reply.
I understand that the non BSD-syslog date format log comes into syslog-ng , it does not operate properly.
This isn't entirely correct. syslog-ng supports several time formats, if you can read C code then take a look at the log_msg_parse() function in src/logmsg.c. When it comes to syslog-ng 3 then the parser is a little bit more complex.
Could I ask you three questions about this syslog message? It would be a great help if you could afford time answering with these questions.
1. I would like to confirm my thought about this. More specifically, I saw the packet using tshark. And, in the "Message:" area, the properly handled packet always has the process id in its beginning.
Like , "128: Jun 09 2009 16:30:19: %SYS-5-CONFIG_I: Configured from console by console" And , no matter what kind of date format was included in the message it was properly parsed in syslog-ng.
syslog messages should start with *priority* enclosed between '<' and '>'. Please show the complete/ unedited packet dump for a proper analysis.
I thought the reason why it was not parsed correcly, was whether the process id had existed or not in the packet. Am I on the wrong point? I apologize if I was giving a wrong opinion.
I tend to disagree. I don't see any PID in the above line but as it should come *after* the program name the presence of PID doesn't really matter.
2. Just want to confirm if syslog-ng stops processing the destination driver process, whenever it goes messy with the PROGRAM macro?
No.
3. So for now , to escape from syslog-ng being inproper, should I not use the PROGRAM macro?
If the log isn't parseable then PROGRAM could be either blank or contains inproper data - so the obvious answer is to don't use macros which depend on the successful parsing of the message in this case. hth, Sandor
participants (3)
-
Sandor Geller
-
Vincent Panel
-
Yu Watanabe