[syslog-ng]Cisco PIX TCP syslog stream format - and UDP truncation.
Tue, 20 Aug 2002 08:31:08 -0400
Content-Type: text/plain; charset=us-ascii
* Ted_Rule@flextech.co.uk (Ted_Rule@flextech.co.uk) wrote:
> I have a little problem with a PIX using UDP syslog to an old syslogd ser=
> which I'm hoping members of the list may be able to assist me with.
Havn't played with PIX firewalls in a while but I may be able to
convince someone here to let me play with one and logging.
> Does anyone on the list have experience of Cisco PIX TCP Syslog stream ta=
> to syslog-ng?
> Does anyone on the list have a good idea of the internal layout of the PI=
> syslog stream - in particular
> how is the end of message encoded? ( Under UDP of course , EOM is implied=
> of packet, but under
> TCP some explicit EOM marker would have(?) to be added to the stream. )
Having looked at the syslog-ng code for dealing with this stuff (had to
because of the /proc/kmsg log problems I've had under Linux) it would
appear that in general either a newline or a '\0' denotes the end of a
log message. Since there's no 'EOM' in either TCP connections or
files/pipes/etc I believe they all behave in basically the same manner.
So your perl code should check for those two conditions I think.
> Would anyone be able to send me some tcpdumps or similar for me to decode=
> format so that I could generate some test data to fire at the listener?
I may be able to, we'll have to see.
Just as a side-note I guess, I think your perl idea is really
not-so-good. :) Personally I would strongly encourage you to either
move to syslog-ng outright or, if you're really worried, just run both
syslog-ng and syslogd and have syslog-ng *only* listen on TCP and have
some very, very simple/stupid config file that just takes stuff coming
in and dumps it to a file. I kind of see that as the 'best of both
worlds' solution to get you started at least and then slowly migrate
things over to syslog-ng till eventually you can phase out the old
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----