syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX
Hi, We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe directly to stdin of psql). Since the upgrade, we have also had a requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a consequence, we have found numerous syslog entries where the record following the PIX URL log entry is merged with the URL log entry. Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 / gcc-3.2-7 with libol 0.3.9. Standard syslog to file: May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1 The same syslog message SQL formated to file - same template as program(): BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT; TCP logging is used (too many messages lost when using UDP). There are also other instances where syslog messages have been merged together. More samples of the above can be supplied if necessary if a direct e-mail address of a developer is provided - I am reluctant to send such data to the list. IP addresses containe in the log entries have also been changed. TIA, Darren syslog-ng.conf that generated the above data: options { sync (0); time_reopen (10); log_fifo_size (8192); long_hostnames (off); use_dns (no); use_fqdn (no); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); perm (0644); owner (root); group (root); dir_perm (0644); dir_owner (root); dir_group (root); }; source s_tcp { tcp(port(10514) max-connections(64)); }; source s_udp { udp(port(514)); }; destination rawsyslog { file("/monitor/syslog-ng/data/rawsyslog-$YEAR-$MONTH-$DAY"); }; destination syslog2pgsql { file("/monitor/syslog-ng/data/syslog2pgsql-$YEAR-$MONTH-$DAY" template("BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES '$HOST', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$PROGRAM', '$MSG'); COMMIT;\n") template-escape(yes)); }; log { source(s_udp); destination(syslog2pgsql); }; log { source(s_tcp); destination(syslog2pgsql); }; log { source(s_udp); destination(rawsyslog); }; log { source(s_tcp); destination(rawsyslog); };
On Sun, May 11, 2003 at 06:05:41PM +1000, email lists wrote:
Hi,
We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe directly to stdin of psql). Since the upgrade, we have also had a requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a consequence, we have found numerous syslog entries where the record following the PIX URL log entry is merged with the URL log entry.
Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 / gcc-3.2-7 with libol 0.3.9.
Standard syslog to file:
May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1
The same syslog message SQL formated to file - same template as program():
BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT;
TCP logging is used (too many messages lost when using UDP).
Can you send me a tcpdump of the syslog traffic which shows this behaviour? Aternatively you can also send me an strace snippet, provided you increase the number of characters shown in strings (so that all details can be seen).
There are also other instances where syslog messages have been merged together.
More samples of the above can be supplied if necessary if a direct e-mail address of a developer is provided - I am reluctant to send such data to the list. IP addresses containe in the log entries have also been changed.
You can send me the dumps in privately in direct mail. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (2)
-
Balazs Scheidler
-
email lists