I can't seem to get syslog-ng to recongnize a syslog message. I used the example message you give in the docs, but all it says is "Invalid frame header". Here is the error message: Oct 13 14:35:55 logger-01 syslog-ng[29653]: Invalid frame header; header='' here is how I'm sending my test message: echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8" | nc logger-01 20514 Here is the config: options { flush_lines(1); }; source src { internal(); syslog(ip("192.168.27.198") port(20514) transport("tcp")); }; destination dest { file("/data/local/logs/sys.log" owner(xl) group (xl)); }; log { source(src); destination(dest); }; ------------------------------------------------------------------------------------------ This message is for the named person(s) use only. It may contain confidential proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Allston Trading LLC and its subsidiaries and affiliates each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ------------------------------------------------------------------------------------------
jnordwick wrote:
I can't seem to get syslog-ng to recongnize a syslog message. I used the example message you give in the docs, but all it says is "Invalid frame header".
Here is the error message:
Oct 13 14:35:55 logger-01 syslog-ng[29653]: Invalid frame header; header=''
here is how I'm sending my test message:
echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8" | nc logger-01 20514
Here is the config:
options { flush_lines(1); };
source src { internal(); syslog(ip("192.168.27.198") port(20514) transport("tcp")); };
destination dest { file("/data/local/logs/sys.log" owner(xl) group (xl)); };
log { source(src); destination(dest); };
Hi, you are trying to receive IETF syslog protocol (syslog() source driver) that uses frames rather than newline to separate the individual messages. At the same time the included nc command line sends legacy BSD syslog w/o a frame header (essentially the same as sending with the tcp() driver), that's why you are receiving this error from syslog-ng. If you change the source to tcp(), the problem should go away. Best Regards, Balint -- Balint Kovacs Security Engineer balint.kovacs@balabit.com BalaBit IT Security Bártfai str. 54. H-1115 Budapest Phone +36 1 371 0540 Fax +36 1 208 0875 The content of this message, including any attachments is confidential and under legal protection, it may not be published or publicly disclosed. The message may be used only by the addressee and those authorized by the addressee to do so. If you are not the addressee of this message, please notify the sender of the message by phone or e-mail, and delete the message and its attachments from your system. If you are not the addressee, you are forbidden to copy, save, disclose, or abuse the message or any attachments.
I want the new syslog style messages. I'm writing some Java code to send messages to syslog and I need the new format. Is there somewhere that the transport protocol is described? It will also be over UDP too. TCP was just for a little test. Thanks -j On Oct 14, 2009, at 4:09 AM, Balint Kovacs wrote:
jnordwick wrote:
I can't seem to get syslog-ng to recongnize a syslog message. I used the example message you give in the docs, but all it says is "Invalid frame header".
Here is the error message:
Oct 13 14:35:55 logger-01 syslog-ng[29653]: Invalid frame header; header=''
here is how I'm sending my test message:
echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8" | nc logger-01 20514
Here is the config:
options { flush_lines(1); };
source src { internal(); syslog(ip("192.168.27.198") port(20514) transport("tcp")); };
destination dest { file("/data/local/logs/sys.log" owner(xl) group (xl)); };
log { source(src); destination(dest); };
Hi,
you are trying to receive IETF syslog protocol (syslog() source driver) that uses frames rather than newline to separate the individual messages.
At the same time the included nc command line sends legacy BSD syslog w/o a frame header (essentially the same as sending with the tcp() driver), that's why you are receiving this error from syslog-ng.
If you change the source to tcp(), the problem should go away.
Best Regards, Balint
-- Balint Kovacs Security Engineer balint.kovacs@balabit.com
BalaBit IT Security Bártfai str. 54. H-1115 Budapest Phone +36 1 371 0540 Fax +36 1 208 0875
The content of this message, including any attachments is confidential and under legal protection, it may not be published or publicly disclosed. The message may be used only by the addressee and those authorized by the addressee to do so. If you are not the addressee of this message, please notify the sender of the message by phone or e-mail, and delete the message and its attachments from your system. If you are not the addressee, you are forbidden to copy, save, disclose, or abuse the message or any attachments.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------------------------ This message is for the named person(s) use only. It may contain confidential proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Allston Trading LLC and its subsidiaries and affiliates each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ------------------------------------------------------------------------------------------
jnordwick wrote:
I want the new syslog style messages. I'm writing some Java code to send messages to syslog and I need the new format. Is there somewhere that the transport protocol is described? It will also be over UDP too. TCP was just for a little test.
Thanks -j
AFAIK (Bazsi, pls correct if I'm wrong) the format is described in RFC5425 (http://tools.ietf.org/html/rfc5425) Section 4.3 "Sending data". The RFC concerns TLS transport, but syslog-ng implements the same transport format over TCP as well. If you're comfortable with reading C code, you can also take a look at how syslog-ng does this in logproto.c, around the function log_proto_framed_client_post(). Best Regards, Balint -- Balint Kovacs Security Engineer balint.kovacs@balabit.com BalaBit IT Security Bártfai str. 54. H-1115 Budapest Phone +36 1 371 0540 Fax +36 1 208 0875 The content of this message, including any attachments is confidential and under legal protection, it may not be published or publicly disclosed. The message may be used only by the addressee and those authorized by the addressee to do so. If you are not the addressee of this message, please notify the sender of the message by phone or e-mail, and delete the message and its attachments from your system. If you are not the addressee, you are forbidden to copy, save, disclose, or abuse the message or any attachments.
Hi!
AFAIK (Bazsi, pls correct if I'm wrong) the format is described in RFC5425 (http://tools.ietf.org/html/rfc5425) Section 4.3 "Sending data". The RFC concerns TLS transport, but syslog-ng implements the same transport format over TCP as well.
Yes. RFC5424 only describes the message format but do not deals with the transport. RFC5425 defines RFC5424 over TLS/TCP, while RFC546 describes RFC5424 over UDP. It means RFC5424 over TCP (not encrypted) is not RFC compliant. Syslog-ng can provide the following non-standard trasports: * RFC3164 over TCP * RFC3164 over TCP/TLS * RFC5424 over TCP Best wishes, Peter Höltzl -- Höltzl Péter CISA, IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 9667 BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875 Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatják fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
RFC 5426 (over UDP) does not seem to describe the header that syslog- ng keep complaining about. What I was able to tell from tcpdump is that the message is prefixed with the number of bytes in the message followed by a space (then the message with a terminating newline). At least this seems to work for syslog-ng, but I am not sure how compliant I am being. -j On Oct 14, 2009, at 2:37 PM, Höltzl Péter wrote:
Hi!
AFAIK (Bazsi, pls correct if I'm wrong) the format is described in RFC5425 (http://tools.ietf.org/html/rfc5425) Section 4.3 "Sending data". The RFC concerns TLS transport, but syslog-ng implements the same transport format over TCP as well.
Yes. RFC5424 only describes the message format but do not deals with the transport. RFC5425 defines RFC5424 over TLS/TCP, while RFC546 describes RFC5424 over UDP. It means RFC5424 over TCP (not encrypted) is not RFC compliant. Syslog-ng can provide the following non-standard trasports:
* RFC3164 over TCP * RFC3164 over TCP/TLS * RFC5424 over TCP
Best wishes,
Peter Höltzl
-- Höltzl Péter CISA, IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 9667
BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875
Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatják fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------------------------ This message is for the named person(s) use only. It may contain confidential proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Allston Trading LLC and its subsidiaries and affiliates each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ------------------------------------------------------------------------------------------
On Wed, 2009-10-14 at 15:47 -0500, jnordwick wrote:
RFC 5426 (over UDP) does not seem to describe the header that syslog- ng keep complaining about. What I was able to tell from tcpdump is that the message is prefixed with the number of bytes in the message followed by a space (then the message with a terminating newline).
At least this seems to work for syslog-ng, but I am not sure how compliant I am being.
This seems to be a syslog-ng bug then. UDP doesn't have a frame header as the datagrams separate syslog messages just fine. I'll look into this. -- Bazsi
That is just plain dumb. Forcing encryption to be compliant? ugh. On Oct 14, 2009, at 2:37 PM, Höltzl Péter wrote:
RFC5424 over TCP (not encrypted) is not RFC compliant
------------------------------------------------------------------------------------------ This message is for the named person(s) use only. It may contain confidential proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Allston Trading LLC and its subsidiaries and affiliates each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ------------------------------------------------------------------------------------------
participants (4)
-
Balazs Scheidler
-
Balint Kovacs
-
Höltzl Péter
-
jnordwick