[syslog-ng]syslog-ng misinterpreting messages from Enterasys Routers.

Ted_Rule@flextech.co.uk Ted_Rule@flextech.co.uk
Thu, 23 Jan 2003 11:21:24 +0000


Having finally bitten the bullet and installed syslog-ng ( libol-0.3.6 /
syslog-ng-1.5.24 ),
I've only come across one problem... syslog messages from our Enterasys Routers
are being
corrupted. All Unix and Cisco messages appear Ok.

As an example, these raw packets from an SSR and a Cisco:

tcpdump -s 512 -x -e -l -n udp and port 514 and host fttv-gps-core-ssrA |
tcpdumpascii.pl
tcpdump: listening on eth0
10:29:54.111864 0:e0:63:93:25:bf 0:50:8b:f3:93:46 ip 100: 192.168.32.11.4739 >
172.17.12.6.syslog:  udp 58
         4500 0056 73a2 0000 3f11 6f2a c0a8 200b        E..Vs...?.o*.. .
         ac11 0c06 1283 0202 0042 b5ba 3c31 3838        .........B..<188
         3e4a 616e 2032 3320 3130 3a32 393a 3533        >Jan 23 10:29:53
         2025 434f 4e53 2d57 2d42 4144 5041 5353         %CONS-W-BADPASS
         5744 2c20 696e 636f 7272 6563 7420 7061        WD, incorrect pa
         7373 776f 7264                                 ssword

1 packets received by filter
0 packets dropped by kernel

tcpdump -s 512 -x -e -l -n udp and port 514 and host gps-enterprise-cisco-e0 |
tcpdumpascii.pl
tcpdump: listening on eth0
10:30:44.037939 0:10:7b:80:f:fb 0:50:8b:f3:93:46 ip 138: 172.17.8.76.8800 >
172.17.12.6.syslog:  udp 96
         4500 007c 29b5 0000 ff11 2547 ac11 084c        E..|).....%G...L
         ac11 0c06 2260 0202 0068 187a 3c31 3839        ...."`...h.z<189
         3e31 3036 3737 3a20 4a61 6e20 3233 2031        >10677: Jan 23 1
         303a 3330 3a34 3320 474d 543a 2025 5359        0:30:43 GMT: %SY
         532d 352d 434f 4e46 4947 5f49 3a20 436f        S-5-CONFIG_I: Co
         6e66 6967 7572 6564 2066 726f 6d20 636f        nfigured from co
         6e73 6f6c 6520 6279 2076 7479 3020 2831        nsole by vty0 (1
         3732 2e31 372e 3132 2e37 3229                  72.17.12.72)


Result in this in the log:

Jan 23 10:29:53 %CONS-W-BADPASSWD, incorrect password
Jan 23 10:30:44 gps-enterprise-cisco-e0 10677: Jan 23 10:30:43 GMT:
%SYS-5-CONFIG_I: Configured from console by vty0 (172.17.12.72)


It looks as if syslog-ng is assuming %CONS-W-BADPASSWD is a hostname....and the
Cisco message picks up a hostname via DNS, which
is NOT included in the packet.


I note the version 1.5.25 has a bad_hostname() option. Is it possible that this
may be used to alleviate this issue, or is some other workround
needed? I'm guessing "keep_hostname(no)" might fix it, but would that
potentially lead to other problems? Is there a summary of the algorithm
which syslog-ng uses to determine whether the message contains a hostname?



Current Options settings laid out below.


...............

# Global Options Settings
options {
        chain_hostnames(no);
        keep_hostname (yes);
        use_dns (yes);
        use_fqdn (no);
        long_hostnames (off);
        dns_cache(yes);
        dns_cache_size(100);
        dns_cache_expire(600);
        dns_cache_expire_failed(120);

        create_dirs (no);
        dir_owner(root);
        dir_group(root);
        dir_perm(0755);
        owner(root);
        group(root);
        perm(0600);

        stats(120);

        sync(10);
        time_reopen (10);
        time_reap(20);

        use_time_recvd(no);

        log_fifo_size (1000);
        log_msg_size (1024);

        gc_idle_threshold(100); ### default 100
        gc_busy_threshold(3000); ### default 3000
        };

...............


Thanks,


Ted









************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
************************************************************************************************