[syslog-ng]Problem with IP "don't fragment" flag?

Ruecker, Rainer syslog-ng@lists.balabit.hu
Wed, 16 Apr 2003 01:49:36 +0200 

Hello list,

the following problem occured when trying to filter messages=20
generated by the program NT-syslog running on several win2k-servers and
some Cisco-Routers with syslog-ng on a central loghost:

- The messages from the cisco devices are logged accordingly to the=20
  log path in syslog-ng.conf.
- The messages from NT-syslog end up in the "catch-all" destination and =
the
  destination in the log path is "ignored".

Checking the arriving udp-packets with tcp-dump on loghost the following =
was
observed:
- Packets coming from cisco-devices have source port 514 and the=20
  IP "don't fragment" flag is not set.
- Packets coming from NT-syslog have source ports above 1024 and
  the IP "don't fragment" flag is not set.

A "handcrafted" UDP syslog-message packet with Source-Port !=3D514 and a =
source=20
adress of one of the NT-hosts and the IP "don't fragment" flag set=20
will be logged according to the log path in syslog-ng.conf !!
If IP "don't fragment" is not set, the message will end up in the =
fallback-
destination.=20

Has anyone else noticed a similar behaviour of syslog-ng?
Maybe someone has a hint where to start debugging this problem?

The problem is observed with=20
  syslog-ng version 1.6.0rc1 / libol 0.3.9
  syslog-ng version 1.4.17 / libol 0.2.23
running on
  NetBSD-1.6 (i686) gcc-2.95.3 20010315 NetBSD
  linux-2.4.20 (stock source) / glibc-2.2.5 (i686) gcc 2.96 20000731 =
RedHat
  linux-2.4.20-pre4 (kernel.org) / glibc-2.3.1 (i686) gcc 3.2.1 Gentoo

Relevant excerpt from syslog-ng.conf:
   =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<snip>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
# source
source s_net { udp(); };

# destinations
# cisco
destination d_cons_pix { file("/dev/tty3"); };   # for special reasons =
...
destination d_pix { file("/var/log/pixlog_$YEAR_$MONTH_$DAY"); };
destination d_liss { file("/var/log/lisslog_$YEAR_$MONTH_$DAY"); };
destination d_router { file("/var/log/routerlog_$YEAR_$MONTH_$DAY"); };
# NT-syslog test
destination d_rrwk { file("/var/log/rrwk_$YEAR_$MONTH_$DAY"); };
destination d_prt2 { file("/var/log/prt2_$YEAR_$MONTH_$DAY"); };
destination d_neko { file("/var/log/neko_$YEAR_$MONTH_$DAY"); };
# fallback
destination d_netrest { file("/var/log/netrest"); };

# filters
# cisco
filter f_pix { host("192.168.10.1"); };
filter f_liss { host("192.168.10.3"); };
filter f_router { host(192.168.201.5) or host(192.168.250.10); };
# NT-syslog test
filter f_rrwk { host(192.168.100.192); };
filter f_neko { host(192.168.100.190); };
filter f_prt2 { host(192.168.110.22); };

# log sentences
# cisco
log { source(s_net); filter(f_pix); destination(d_pix); =
destination(d_cons_pix);
log { source(s_net); filter(f_liss); destination(d_liss); };
log { source(s_net); filter(f_router); destination(d_router); };
# NT-syslog test
log { source(s_net); filter(f_rrwk); destination(d_rrwk); };
log { source(s_net); filter(f_prt2); destination(d_prt2); };
log { source(s_net); filter(f_neko); destination(d_neko); };
# fallback
log { source(s_net); destination(d_netrest); flags(fallback); };
     =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<snip>=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Any help will be much appreciated.

Kind regards

Raine Ruecker