[syslog-ng]Cisco PIX TCP syslog stream format - and UDP truncation.

Balazs Scheidler bazsi@balabit.hu
Wed, 21 Aug 2002 14:26:25 +0200

On Tue, Aug 20, 2002 at 08:31:08AM -0400, Stephen Frost wrote:
> * Ted_Rule@flextech.co.uk (Ted_Rule@flextech.co.uk) wrote:
> > Does anyone on the list have experience of Cisco PIX TCP Syslog stream talking
> > to syslog-ng?
> > 
> > Does anyone on the list have a good idea of the internal layout of the PIX TCP
> > syslog stream - in particular
> > how is the end of message encoded? ( Under UDP of course , EOM is implied by end
> > of packet, but under
> > TCP some explicit EOM marker would have(?) to be added to the stream. )

there was a short description of the  PIX protocol on the syslog-sec mailing
list. Here it is:

# Sends on TCP port 1468 by default.
# Can have multiple messages in a single packet. They don't appear to be
seperated by any character. New message is identified by the <PRI> tag.
# TCP connection is made once, and remains open indefinately.
# If the connection is broken and not able to be re-established, the PIX
will stop forwarding network traffic through it's interfaces.
# PIX message format changes depending on timestamp settings on the PIX.

I think there should be a newline after messages (otherwise it is not
possible to identify <PRI> tags as it is perfectly legal to put <PRI> within
the message itself.

So if my assumption is true, this traffic can be fed into syslog-ng by using a TCP source:

tcp s_pix { tcp(port(1468)); };

The timestamp settings might affect the way syslog-ng recognizes the stamp
and hostname, but otherwise this should work.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1