[syslog-ng]Cisco PIX TCP Syslogging via syslog-ng

Ted_Rule@flextech.co.uk Ted_Rule@flextech.co.uk
Thu, 5 Sep 2002 10:28 -0500 

From: Ted_Rule@flextech.co.uk
To: syslog-ng@lists.balabit.hu
Date: Thu, 5 Sep 2002 16:28:53 +0100
Subject: [syslog-ng]Cisco PIX TCP Syslogging via syslog-ng



More very sad news I'm afraid.

I've been able to glue together a temporary copy of syslog-ng on my cent=
ral
syslog server
listening to TCP/1468 for PIX syslogging.

It is already apparent that things don't work properly - most of this ap=
pears to
be entirely Cisco's
fault.

My original problem was that I'd reported UDP packet truncation for sysl=
og
messages > 255 characters.

Cisco swore blind that my moving to TCP would fix this.

tcpdump's of my test rig strongly suggests Cisco simply lied. Even the T=
CP
stream seems to impose a 255 character
limit prior to transmission.

Worse still - as intimated from previous missives - the TCP stream doesn=
't
contain EOM characters of any flavour
between messages such that multiple syslog messages may appear in a sing=
le TCP
packet.

Moreover, sadly, syslog-ng appears to be unable to pick apart multiple m=
essages
correctly on some occasions, and hence one
sees things like this:

Sep  5 15:58:58 fttvgpsvpn1 %PIX-7-702301: lifetime expiring, (sa) sa_de=
st=3D 195.
188.171.5, sa_prot=3D 50, sa_spi=3D 0x6a3b8b02(1782287106), sa_trans=3D =
esp-3des esp-m
d5-hmac , sa_conn_id=3D 8, (identity) local=3D 195.188.171.5, remote=3D =
217.34.209.200
, local_proxy=3D 194.34.198.40/255.255.2<190>%PIX-6-602302: deleting SA,=
 (sa) sa_d
est=3D 195.188.171.5, sa_prot=3D 50, sa_spi=3D 0x6a3b8b02(1782287106), s=
a_trans=3D esp-3
des esp-md5-hmac , sa_conn_id=3D 8

where the 2 messages concatenated are actually contained in 2 separate T=
CP
packets,
as per the tcpdump below.

The general logic I can deduce from the debugs so far is that the log da=
emon on
the PIX
assembles a message, truncates to 255 characters, stuffs it out the log =
stream (
be it UDP
or TCP ). If the stream is TCP, I suspect Nagle Algorithm or similar det=
ermines
when sufficient
data within one or more messages have been accumulate sufficient to actu=
ally
send a TCP
packet.

As a result, whilst any given log message is limited to 255 bytes, but a=
ny given
TCP packet need not be.

All in all, its a mess. I'm better off leaving the syslogging routing vi=
a UDP to
ensure correct EOM
determination on the syslog server.

Needless to say, I'll raise a log with our Cisco resellers to try and ge=
t Cisco
to fix their code.

The minimum 2 requirements are:

     a)   Raise log message size limit to 512 bytes for either UDP or TC=
P
streams

     b)   Terminate TCP messages with NUL or NL to allow sane logservers=
 to
unsplit the mess.


I suspect there is very little Balazs can do to improve the decode of th=
e PIX
log stream
without Cisco fixing their broken code.



Ted



15:58:58.013327 192.168.82.15.1024 > 172.17.12.19.1468: P 878:1133(255) =
ack 1
win 4096
         4500 0127 9d42 0000 fc06 55b2 c0a8 520f        E..'.B....U...R.
         ac11 0c13 0400 05bc 02ff 1fde 3b30 7c08        ............;0|.
         5018 1000 4360 0000 3c31 3931 3e25 5049        P...C`..<191>%PI
         582d 372d 3730 3233 3031 3a20 6c69 6665        X-7-702301: life
         7469 6d65 2065 7870 6972 696e 672c 2028        time expiring, (
         7361 2920 7361 5f64 6573 743d 2031 3935        sa) sa_dest=3D 1=
95
         2e31 3838 2e31 3731 2e35 2c20 7361 5f70        .188.171.5, sa_p
         726f 743d 2035 302c 2073 615f 7370 693d        rot=3D 50, sa_sp=
i=3D
         2030 7836 6133 6238 6230 3228 3137 3832         0x6a3b8b02(1782
         3238 3731 3036 292c 2073 615f 7472 616e        287106), sa_tran
         733d 2065 7370 2d33 6465 7320 6573 702d        s=3D esp-3des es=
p-
         6d64 352d 686d 6163 202c 2073 615f 636f        md5-hmac , sa_co
         6e6e 5f69 643d 2038 2c20 2869 6465 6e74        nn_id=3D 8, (ide=
nt
         6974 7929 206c 6f63 616c 3d20 3139 352e        ity) local=3D 19=
5.
         3138 382e 3137 312e 352c 2072 656d 6f74        188.171.5, remot
         653d 2032 3137 2e33 342e 3230 392e 3230        e=3D 217.34.209.=
20
         302c 206c 6f63 616c 5f70 726f 7879 3d20        0, local_proxy=3D
         3139 342e 3334 2e31 3938 2e34 302f 3235        194.34.198.40/25
         352e 3235 352e 32                              5.255.2.
15:58:58.026581 172.17.12.19.1468 > 192.168.82.15.1024: . ack 1133 win 3=
2120 (DF

         4500 0028 6190 4000 4006 0e64 ac11 0c13        E..(a.@.@..d....
         c0a8 520f 05bc 0400 3b30 7c08 02ff 20dd        ..R.....;0|... .
         5010 7d78 82af 0000                            P.}x....
15:58:58.027406 192.168.82.15.1024 > 172.17.12.19.1468: P 1133:1445(312)=
 ack 1 w
in 4096
         4500 0160 9d43 0000 fc06 5578 c0a8 520f        E..`.C....Ux..R.
         ac11 0c13 0400 05bc 02ff 20dd 3b30 7c08        .......... .;0|.
         5018 1000 ca1d 0000 3c31 3930 3e25 5049        P.......<190>%PI
         582d 362d 3630 3233 3032 3a20 6465 6c65        X-6-602302: dele
         7469 6e67 2053 412c 2028 7361 2920 7361        ting SA, (sa) sa
         5f64 6573 743d 2031 3935 2e31 3838 2e31        _dest=3D 195.188=
.1
         3731 2e35 2c20 7361 5f70 726f 743d 2035        71.5, sa_prot=3D=
 5
         302c 2073 615f 7370 693d 2030 7836 6133        0, sa_spi=3D 0x6=
a3
         6238 6230 3228 3137 3832 3238 3731 3036        b8b02(1782287106
         292c 2073 615f 7472 616e 733d 2065 7370        ), sa_trans=3D e=
sp
         2d33 6465 7320 6573 702d 6d64 352d 686d        -3des esp-md5-hm
         6163 202c 2073 615f 636f 6e6e 5f69 643d        ac , sa_conn_id=3D
         2038 0a0a 3c31 3930 3e25 5049 582d 362d         8..<190>%PIX-6-
         3630 3233 3032 3a20 6465 6c65 7469 6e67        602302: deleting
         2053 412c 2028 7361 2920 7361 5f64 6573         SA, (sa) sa_des
         743d 2032 3137 2e33 342e 3230 392e 3230        t=3D 217.34.209.=
20
         302c 2073 615f 7072 6f74 3d20 3530 2c20        0, sa_prot=3D 50=
,
         7361 5f73 7069 3d20 3078 3137 6563 3539        sa_spi=3D 0x17ec=
59
         3335 2834 3031 3336 3533 3031 292c 2073        35(401365301), s
         615f 7472 616e 733d 2065 7370 2d33 6465        a_trans=3D esp-3=
de
         7320 6573 702d 6d64 352d 686d 6163 202c        s esp-md5-hmac ,
         2073 615f 636f 6e6e 5f69 643d 2037 0a0a         sa_conn_id=3D 7=
..









************************************************************************=
***************************

This E-mail message, including any attachments, is intended only for the=
 person
or entity to which it is addressed, and may contain confidential informa=
tion.

If you are not the intended recipient, any review, retransmission, discl=
osure,
copying, modification or other use of this E-mail message or attachments=
 is
strictly forbidden.

If you have received this E-mail message in error, please contact the au=
thor and
delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mai=
l
message and any attachments are the author's own, and may not reflect th=
e views
and opinions of FLEXTECH Television Limited.

************************************************************************=
***************************


_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html