[syslog-ng]Syslog-ng doesn't parse certain log messages

Michael Renner m.renner@inode.at
Wed, 17 Jul 2002 15:52:32 +0200 

Hi!

It seems that our syslog-ng (1.5.18, upgraded from 1.5.14 today) stopped 
logging messages from some routers. It seems to be a syslog-ng problem 
because the routers don't have anything in common (except that all of them 
are ciscos, but completely different hardware/ios versions).

My configuration (only the relevant parts of the configfile are shown):


---

options {       sync (0);
                 log_fifo_size (1000);
                 use_fqdn (yes);
                 chain_hostnames(no);
                 stats (3600);
                 use_time_recvd(no);
                 use_dns(no);
         };

source netrout  { udp(ip(213.229.60.108) port(514)); };

destination router      { file("/var/log/router/$HOST/$YEAR-$MONTH-$DAY" 
create_dirs(yes) template("$DATE $HOST $MSG\n")); };
destination unknown     { file("/var/log/unknown/$HOST/$YEAR-$MONTH-$DAY" 
create_dirs(yes) template("$DATE $HOST $MSG\n")); };

filter f_router         { 
facility(local1,local2,local3,local4,local5,local6,local7); };

log { source(netrout); filter(f_router); destination(router); flags(final); };
log { source(netrout); destination(unknown); flags(fallback); };

---

"tcpdump -i eth0 -n -X -s0 port 514 and src 195.58.180.178" shows the 
following ouptut:

This is a packet which doesn't get logged:

15:35:02.920137 195.58.180.178.54088 > 213.229.60.108.514:  udp 129
0x0000   4500 009d 3294 0000 fc11 017d c33a b4b2        E...2......}.:..
0x0010   d5e5 3c6c d348 0202 0089 545b 3c31 3733        ..<l.H....T[<173
0x0020   3e32 3733 3332 3136 3a20 4a75 6c20 3137        >2733216:.Jul.17
0x0030   2031 353a 3335 3a30 322e 3135 3520 4d45        .15:35:02.155.ME
0x0040   542d 4453 543a 2025 4c49 4e45 5052 4f54        T-DST:.%LINEPROT
0x0050   4f2d 352d 5550 444f 574e 3a20 4c69 6e65        O-5-UPDOWN:.Line
0x0060   2070 726f 746f 636f 6c20 6f6e 2049 6e74        .protocol.on.Int
0x0070   6572 6661 6365 2056 6972 7475 616c 2d41        erface.Virtual-A
0x0080   6363 6573 7338 3135 2c20 6368 616e 6765        ccess815,.change
0x0090   6420 7374 6174 6520 746f 2075 70               d.state.to.up

---

"tcpdump -i eth0 -n -X -s0 port 514 and src 195.58.172.146" shows the 
following ouptut:

This is a packet which gets correctly logged:

15:36:49.431070 195.58.172.146.9914 > 213.229.60.108.514:  udp 123
0x0000   4500 0097 2c3a 0000 fc11 0ffd c33a ac92        E...,:.......:..
0x0010   d5e5 3c6c 26ba 0202 0083 7d61 3c31 3733        ..<l&.....}a<173
0x0020   3e31 3538 3431 3837 3a20 4a75 6c20 3137        >1584187:.Jul.17
0x0030   2031 353a 3336 3a34 382e 3532 3020 4d45        .15:36:48.520.ME
0x0040   542d 4453 543a 2025 4c49 4e45 5052 4f54        T-DST:.%LINEPROT
0x0050   4f2d 352d 5550 444f 574e 3a20 4c69 6e65        O-5-UPDOWN:.Line
0x0060   2070 726f 746f 636f 6c20 6f6e 2049 6e74        .protocol.on.Int
0x0070   6572 6661 6365 2053 6572 6961 6c31 3a32        erface.Serial1:2
0x0080   2c20 6368 616e 6765 6420 7374 6174 6520        ,.changed.state.
0x0090   746f 2064 6f77 6e                              to.down

---

I doubt that there's a permission problem on the syslog-ng side (All dirs 
have the permissions bits 700, logfiles 600; everything owned by 
root:root), the local syslog messages (internal()) don't show any 
suspicious messages (none at all).

Can you give me a hint on how to resolve this problem?





mfg/best regards

-- 

Inode Telekommunikationsdienstleistungs GmbH  -  http://www.inode.at/
Michael Renner - Junior System Engineer
m.renner@inode.at, Tel.: +43 59999 0 Fax.: +43 59999 6599

Buero Wien - Millennium Tower Handelskai 94-96/43 - A-1200 Wien
Buero Graz - Schmiedlstrasse 1 - A-8042 Graz
Buero Sbg  - Schillerstrasse 30  - A-5020 Salzburg
Buero Ibk  - Eduard Bodem Gasse 5-7  - A-6020 Innsbruck