[syslog-ng]Cisco PIX TCP syslog stream format - and UDP truncation.

Stephen Frost sfrost@snowman.net
Tue, 20 Aug 2002 08:31:08 -0400

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Ted_Rule@flextech.co.uk (Ted_Rule@flextech.co.uk) wrote:
> I have a little problem with a PIX using UDP syslog to an old syslogd ser=
>  which I'm hoping members of the list may be able to assist me with.

Havn't played with PIX firewalls in a while but I may be able to
convince someone here to let me play with one and logging.

> Does anyone on the list have experience of Cisco PIX TCP Syslog stream ta=
> to syslog-ng?
> Does anyone on the list have a good idea of the internal layout of the PI=
> syslog stream - in particular
> how is the end of message encoded? ( Under UDP of course , EOM is implied=
 by end
> of packet, but under
> TCP some explicit EOM marker would have(?) to be added to the stream. )

Having looked at the syslog-ng code for dealing with this stuff (had to
because of the /proc/kmsg log problems I've had under Linux) it would
appear that in general either a newline or a '\0' denotes the end of a
log message.  Since there's no 'EOM' in either TCP connections or
files/pipes/etc I believe they all behave in basically the same manner.
So your perl code should check for those two conditions I think.

> Would anyone be able to send me some tcpdumps or similar for me to decode=
> format so that I could generate some test data to fire at the listener?

I may be able to, we'll have to see.

Just as a side-note I guess, I think your perl idea is really
not-so-good. :)  Personally I would strongly encourage you to either
move to syslog-ng outright or, if you're really worried, just run both
syslog-ng and syslogd and have syslog-ng *only* listen on TCP and have
some very, very simple/stupid config file that just takes stuff coming
in and dumps it to a file.  I kind of see that as the 'best of both
worlds' solution to get you started at least and then slowly migrate
things over to syslog-ng till eventually you can phase out the old
syslog entirely.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)