RE: [syslog-ng]Syslog-ng 1.6.4 adds ^@ to each line
Hi Balazs, it is very curios. The some tcpdumps gives me not all characters. Perhaps this is the problem??? Here some new ones: 10:49:09.668790 .syslog-ng > .syslog-ng: udp 85 0x0000 4500 0071 cfed 0000 3e11 950b 0ac6 00fd E..q....>....... 0x0010 0ac7 00fa 0202 0202 005d 1cd7 3c31 3430 .........]..<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 >ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2061 646d 696e 2066 726f LED.as.admin.fro 0x0040 6d20 5445 4c4e 4554 2031 302e 3139 392e m.TELNET.10.199. 0x0050 322e 2. 10:49:27.116598 .syslog-ng > .syslog-ng: udp 82 0x0000 4500 006e cff6 0000 3e11 9505 0ac6 00fd E..n....>....... 0x0010 0ac7 00fa 0202 0202 005a 0e93 3c31 3430 .........Z..<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 >ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2031 3220 6672 6f6d 2054 LED.as.12.from.T 0x0040 454c 4e45 5420 3130 2e31 3939 2e32 2e36 ELNET.10.199.2.6 0x0050 3520 5. 10:52:18.644121 .syslog-ng > .syslog-ng: udp 84 0x0000 4500 0070 d007 0000 3e11 94f2 0ac6 00fd E..p....>....... 0x0010 0ac7 00fa 0202 0202 005c 6ef8 3c31 3430 .........\n.<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 >ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2061 7364 6620 6672 6f6d LED.as.asdf.from 0x0040 2054 454c 4e45 5420 3130 2e31 3939 2e32 .TELNET.10.199.2 0x0050 2e36 .6 10:52:21.290085 .syslog-ng > .syslog-ng: udp 85 0x0000 4500 0071 d015 0000 3e11 94e3 0ac6 00fd E..q....>....... 0x0010 0ac7 00fa 0202 0202 005d 3f3a 3c31 3430 .........]?:<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 >ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2077 7433 3435 2066 726f LED.as.wt345.fro 0x0040 6d20 5445 4c4e 4554 2031 302e 3139 392e m.TELNET.10.199. 0x0050 322e 2. Balazs Scheidler wrote:
2004-06-03, cs keltezéssel 15:57-kor Benjamin.Zoeller@salt-solutions.de ezt írta:
Loic Minier wrote:
Benjamin.Zoeller@salt-solutions.de - Thu, Jun 03, 2004:
The problem is that I can't see the log line itself, thus I am unable here my log:
I think you should send the content of the network packets (containing the log lines). This is achieved with tcpdump -X or -XX under Linux, check man tcpdump if you're running something else.
ah, ok. Now I understand here an login attempt.
ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2061 646d 696e 2066 726f LED.as.admin.fro 0x0040 6d20 5445 4c4e 4554 2031 302e 3139 392e m.TELNET.10.199. 0x0050 322e
15:58:19.707437 XX.XXX.X.XXX.syslog-ng > XXX.XXX.XX.syslog-ng: udp 85 0x0000 4500 0071 ca25 0000 3e11 9ad3 0ac6 00fd E..q.%..>....... 0x0010 0ac7 00fa 0202 0202 005d 04d1 3c31 3430 .........]..<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 2.
I'm afraid but this is not a complete packet. tcpdump says it is 85 bytes long, but it is 82 only, and as it seems the line itself is not complete either (the last IP address is terminated after the third number)
I sent the same message to my local syslog-ng process but there was no NUL character appended.
On Fri, 4 Jun 2004 Benjamin.Zoeller@salt-solutions.de wrote:
it is very curios. The some tcpdumps gives me not all characters. Perhaps this is the problem???
You should run tcpdump with '-s 86' to capture the whole packets in question, otherwise those will be truncated due to the small default snaplen value. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
2004-06-04, p keltezéssel 10:52-kor Benjamin.Zoeller@salt-solutions.de ezt írta:
Hi Balazs, it is very curios. The some tcpdumps gives me not all characters. Perhaps this is the problem??? Here some new ones:
10:49:09.668790 .syslog-ng > .syslog-ng: udp 85 0x0000 4500 0071 cfed 0000 3e11 950b 0ac6 00fd E..q....>....... 0x0010 0ac7 00fa 0202 0202 005d 1cd7 3c31 3430 .........]..<140 0x0020 3e41 4343 543a 204c 4f47 494e 2046 4149 >ACCT:.LOGIN.FAI 0x0030 4c45 4420 6173 2061 646d 696e 2066 726f LED.as.admin.fro 0x0040 6d20 5445 4c4e 4554 2031 302e 3139 392e m.TELNET.10.199. 0x0050 322e 2.
you might try specifying the -s option to tcpdump to avoid truncating packets. (-s 1600 will do) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Benjamin.Zoeller@salt-solutions.de
-
Jozsef Kadlecsik