I am running syslog-ng 3.0.4 on RHEL 5.4. I have a log message that appears in my logfiles as Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat There are no carriage returns in that entry; any that appear are artifacts of some mail server or client along the way. I want any log entry containing the string FWNAT to go into a separate file. match(FWNAT) on the filter does just that, but syslog-ng complains that I'm not using value() for efficiency. However, it's not at all clear which macro, if any, actually contains the string FWNAT. I can tell you five that don't: APPLICATION EVENT_SOURCE MESSAGE MSG PROGRAM What macro contains FWNAT? And where can I get a definitive list of macros and specifics on how the value in each is set for each line? The documentation is insufficiently detailed on this subject. Thanks, MJB
Dear Mick,
I have a log message that appears in my logfiles as
Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat
It seems junper do not send valid RFC3164 message (wrong program/pid field). In addition syslog-ng do not handle it coccetly (which could be a bug) that is why the message do not appears in the any macros (my default the message should be in MSG or MSGONLY. Pleas try to use the no-parse flag at the source driver which reads incoming syslog messages. I hope it helps. For further see info see this: http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s01.htm... search for the word no-parse and pleas sen us the result! Best wishes, Peter -- Höltzl Péter CISA, IT biztonsági tanácsadó holtzl.peter@balabit.hu +36 20 366 966 http://peter.blogs.balabit.hu/ BalaBit IT Security 1115 Budapest XI. Bártfai u. 54. Tel +36 1 371 0540 Fax +36 1 208 0875 Az üzenet és annak bármely csatolt anyaga bizalmas, jogi védelem alatt áll, a nyilvános közléstől védett. Az üzenetet kizárólag a címzett, illetve az általa meghatalmazottak használhatják fel. Ha Ön nem az üzenet címzettje, úgy kérjük, hogy telefonon, vagy e-mail-ben értesítse erről az üzenet küldőjét és törölje az üzenetet, valamint annak összes csatolt mellékletét a rendszeréből. Ha Ön nem az üzenet címzettje, abban az esetben tilos az üzenetet vagy annak bármely csatolt mellékletét lemásolnia, elmentenie, az üzenet tartalmát bárkivel közölnie vagy azzal visszaélnie.
I changed my source from udp(ip(0.0.0.0) port(514)) to udp(ip(0.0.0.0) port(514) flags(no-parse)) with no other changes. The log entries now are slightly different: there's a <###> term, so they appear as Oct 30 13:42:55 juniper-router <150>{wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.4.12:1064 -> 74.125.165.164:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat and the match(FWNAT) no longer works at all. MJB HÖLTZL Péter wrote:
Dear Mick,
I have a log message that appears in my logfiles as
Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat
It seems junper do not send valid RFC3164 message (wrong program/pid field). In addition syslog-ng do not handle it coccetly (which could be a bug) that is why the message do not appears in the any macros (my default the message should be in MSG or MSGONLY. Pleas try to use the no-parse flag at the source driver which reads incoming syslog messages. I hope it helps. For further see info see this:
http://www.balabit.hu/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s01.htm...
search for the word no-parse and pleas sen us the result!
Best wishes,
Peter
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Wed, 2009-10-28 at 17:18 -0400, Michael J. Bauer wrote:
I am running syslog-ng 3.0.4 on RHEL 5.4.
I have a log message that appears in my logfiles as
Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat
There are no carriage returns in that entry; any that appear are artifacts of some mail server or client along the way.
I want any log entry containing the string FWNAT to go into a separate file. match(FWNAT) on the filter does just that, but syslog-ng complains that I'm not using value() for efficiency. However, it's not at all clear which macro, if any, actually contains the string FWNAT. I can tell you five that don't:
APPLICATION EVENT_SOURCE MESSAGE MSG PROGRAM
What macro contains FWNAT? And where can I get a definitive list of macros and specifics on how the value in each is set for each line? The documentation is insufficiently detailed on this subject.
$PROGRAM will contain {wan-service-set} $PID will contain FWNAT -- Bazsi
Thanks for the pointer, I've rewritten my match() statements. MJB Balazs Scheidler wrote:
On Wed, 2009-10-28 at 17:18 -0400, Michael J. Bauer wrote:
I am running syslog-ng 3.0.4 on RHEL 5.4.
I have a log message that appears in my logfiles as
Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]: ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any, ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: , rule: nat-outgoing, term: dynamic-nat
There are no carriage returns in that entry; any that appear are artifacts of some mail server or client along the way.
I want any log entry containing the string FWNAT to go into a separate file. match(FWNAT) on the filter does just that, but syslog-ng complains that I'm not using value() for efficiency. However, it's not at all clear which macro, if any, actually contains the string FWNAT. I can tell you five that don't:
APPLICATION EVENT_SOURCE MESSAGE MSG PROGRAM
What macro contains FWNAT? And where can I get a definitive list of macros and specifics on how the value in each is set for each line? The documentation is insufficiently detailed on this subject.
$PROGRAM will contain {wan-service-set} $PID will contain FWNAT
participants (3)
-
Balazs Scheidler
-
HÖLTZL Péter
-
Michael J. Bauer