[syslog-ng]Cisco PIX TCP Syslogging via syslog-ng

Ted_Rule@flextech.co.uk Ted_Rule@flextech.co.uk
Thu, 5 Sep 2002 16:28:53 +0100


More very sad news I'm afraid.

I've been able to glue together a temporary copy of syslog-ng on my central
syslog server
listening to TCP/1468 for PIX syslogging.

It is already apparent that things don't work properly - most of this appears to
be entirely Cisco's
fault.

My original problem was that I'd reported UDP packet truncation for syslog
messages > 255 characters.

Cisco swore blind that my moving to TCP would fix this.

tcpdump's of my test rig strongly suggests Cisco simply lied. Even the TCP
stream seems to impose a 255 character
limit prior to transmission.

Worse still - as intimated from previous missives - the TCP stream doesn't
contain EOM characters of any flavour
between messages such that multiple syslog messages may appear in a single TCP
packet.

Moreover, sadly, syslog-ng appears to be unable to pick apart multiple messages
correctly on some occasions, and hence one
sees things like this:

Sep  5 15:58:58 fttvgpsvpn1 %PIX-7-702301: lifetime expiring, (sa) sa_dest= 195.
188.171.5, sa_prot= 50, sa_spi= 0x6a3b8b02(1782287106), sa_trans= esp-3des esp-m
d5-hmac , sa_conn_id= 8, (identity) local= 195.188.171.5, remote= 217.34.209.200
, local_proxy= 194.34.198.40/255.255.2<190>%PIX-6-602302: deleting SA, (sa) sa_d
est= 195.188.171.5, sa_prot= 50, sa_spi= 0x6a3b8b02(1782287106), sa_trans= esp-3
des esp-md5-hmac , sa_conn_id= 8

where the 2 messages concatenated are actually contained in 2 separate TCP
packets,
as per the tcpdump below.

The general logic I can deduce from the debugs so far is that the log daemon on
the PIX
assembles a message, truncates to 255 characters, stuffs it out the log stream (
be it UDP
or TCP ). If the stream is TCP, I suspect Nagle Algorithm or similar determines
when sufficient
data within one or more messages have been accumulate sufficient to actually
send a TCP
packet.

As a result, whilst any given log message is limited to 255 bytes, but any given
TCP packet need not be.

All in all, its a mess. I'm better off leaving the syslogging routing via UDP to
ensure correct EOM
determination on the syslog server.

Needless to say, I'll raise a log with our Cisco resellers to try and get Cisco
to fix their code.

The minimum 2 requirements are:

     a)   Raise log message size limit to 512 bytes for either UDP or TCP
streams

     b)   Terminate TCP messages with NUL or NL to allow sane logservers to
unsplit the mess.


I suspect there is very little Balazs can do to improve the decode of the PIX
log stream
without Cisco fixing their broken code.



Ted



15:58:58.013327 192.168.82.15.1024 > 172.17.12.19.1468: P 878:1133(255) ack 1
win 4096
         4500 0127 9d42 0000 fc06 55b2 c0a8 520f        E..'.B....U...R.
         ac11 0c13 0400 05bc 02ff 1fde 3b30 7c08        ............;0|.
         5018 1000 4360 0000 3c31 3931 3e25 5049        P...C`..<191>%PI
         582d 372d 3730 3233 3031 3a20 6c69 6665        X-7-702301: life
         7469 6d65 2065 7870 6972 696e 672c 2028        time expiring, (
         7361 2920 7361 5f64 6573 743d 2031 3935        sa) sa_dest= 195
         2e31 3838 2e31 3731 2e35 2c20 7361 5f70        .188.171.5, sa_p
         726f 743d 2035 302c 2073 615f 7370 693d        rot= 50, sa_spi=
         2030 7836 6133 6238 6230 3228 3137 3832         0x6a3b8b02(1782
         3238 3731 3036 292c 2073 615f 7472 616e        287106), sa_tran
         733d 2065 7370 2d33 6465 7320 6573 702d        s= esp-3des esp-
         6d64 352d 686d 6163 202c 2073 615f 636f        md5-hmac , sa_co
         6e6e 5f69 643d 2038 2c20 2869 6465 6e74        nn_id= 8, (ident
         6974 7929 206c 6f63 616c 3d20 3139 352e        ity) local= 195.
         3138 382e 3137 312e 352c 2072 656d 6f74        188.171.5, remot
         653d 2032 3137 2e33 342e 3230 392e 3230        e= 217.34.209.20
         302c 206c 6f63 616c 5f70 726f 7879 3d20        0, local_proxy=
         3139 342e 3334 2e31 3938 2e34 302f 3235        194.34.198.40/25
         352e 3235 352e 32                              5.255.2.
15:58:58.026581 172.17.12.19.1468 > 192.168.82.15.1024: . ack 1133 win 32120 (DF
)
         4500 0028 6190 4000 4006 0e64 ac11 0c13        E..(a.@.@..d....
         c0a8 520f 05bc 0400 3b30 7c08 02ff 20dd        ..R.....;0|... .
         5010 7d78 82af 0000                            P.}x....
15:58:58.027406 192.168.82.15.1024 > 172.17.12.19.1468: P 1133:1445(312) ack 1 w
in 4096
         4500 0160 9d43 0000 fc06 5578 c0a8 520f        E..`.C....Ux..R.
         ac11 0c13 0400 05bc 02ff 20dd 3b30 7c08        .......... .;0|.
         5018 1000 ca1d 0000 3c31 3930 3e25 5049        P.......<190>%PI
         582d 362d 3630 3233 3032 3a20 6465 6c65        X-6-602302: dele
         7469 6e67 2053 412c 2028 7361 2920 7361        ting SA, (sa) sa
         5f64 6573 743d 2031 3935 2e31 3838 2e31        _dest= 195.188.1
         3731 2e35 2c20 7361 5f70 726f 743d 2035        71.5, sa_prot= 5
         302c 2073 615f 7370 693d 2030 7836 6133        0, sa_spi= 0x6a3
         6238 6230 3228 3137 3832 3238 3731 3036        b8b02(1782287106
         292c 2073 615f 7472 616e 733d 2065 7370        ), sa_trans= esp
         2d33 6465 7320 6573 702d 6d64 352d 686d        -3des esp-md5-hm
         6163 202c 2073 615f 636f 6e6e 5f69 643d        ac , sa_conn_id=
         2038 0a0a 3c31 3930 3e25 5049 582d 362d         8..<190>%PIX-6-
         3630 3233 3032 3a20 6465 6c65 7469 6e67        602302: deleting
         2053 412c 2028 7361 2920 7361 5f64 6573         SA, (sa) sa_des
         743d 2032 3137 2e33 342e 3230 392e 3230        t= 217.34.209.20
         302c 2073 615f 7072 6f74 3d20 3530 2c20        0, sa_prot= 50,
         7361 5f73 7069 3d20 3078 3137 6563 3539        sa_spi= 0x17ec59
         3335 2834 3031 3336 3533 3031 292c 2073        35(401365301), s
         615f 7472 616e 733d 2065 7370 2d33 6465        a_trans= esp-3de
         7320 6573 702d 6d64 352d 686d 6163 202c        s esp-md5-hmac ,
         2073 615f 636f 6e6e 5f69 643d 2037 0a0a         sa_conn_id= 7..









***************************************************************************************************

This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.

If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.

If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.

***************************************************************************************************