[syslog-ng]syslog-ng misinterpreting messages from Enterasys Routers.

Urmas Jagomann syslog-ng@lists.balabit.hu
Wed, 30 Jul 2003 12:06:09 +0300 

Lugupidamisega,
Urmas Jagomann
6655424
----- Original Message -----
From: <Ted_Rule@flextech.co.uk>
To: <syslog-ng@lists.balabit.hu>
Sent: Thursday, January 23, 2003 2:21 PM
Subject: [syslog-ng]syslog-ng misinterpreting messages from Enterasys
Routers.


>
>
> Having finally bitten the bullet and installed syslog-ng ( libol-0.3.6 /
> syslog-ng-1.5.24 ),
> I've only come across one problem... syslog messages from our Enterasys
Routers
> are being
> corrupted. All Unix and Cisco messages appear Ok.
>
> As an example, these raw packets from an SSR and a Cisco:
>
> tcpdump -s 512 -x -e -l -n udp and port 514 and host fttv-gps-core-ssrA |
> tcpdumpascii.pl
> tcpdump: listening on eth0
> 10:29:54.111864 0:e0:63:93:25:bf 0:50:8b:f3:93:46 ip 100:
192.168.32.11.4739 >
> 172.17.12.6.syslog:  udp 58
>          4500 0056 73a2 0000 3f11 6f2a c0a8 200b        E..Vs...?.o*.. .
>          ac11 0c06 1283 0202 0042 b5ba 3c31 3838        .........B..<188
>          3e4a 616e 2032 3320 3130 3a32 393a 3533        >Jan 23 10:29:53
>          2025 434f 4e53 2d57 2d42 4144 5041 5353         %CONS-W-BADPASS
>          5744 2c20 696e 636f 7272 6563 7420 7061        WD, incorrect pa
>          7373 776f 7264                                 ssword
>
> 1 packets received by filter
> 0 packets dropped by kernel
>
> tcpdump -s 512 -x -e -l -n udp and port 514 and host
gps-enterprise-cisco-e0 |
> tcpdumpascii.pl
> tcpdump: listening on eth0
> 10:30:44.037939 0:10:7b:80:f:fb 0:50:8b:f3:93:46 ip 138: 172.17.8.76.8800
>
> 172.17.12.6.syslog:  udp 96
>          4500 007c 29b5 0000 ff11 2547 ac11 084c        E..|).....%G...L
>          ac11 0c06 2260 0202 0068 187a 3c31 3839        ...."`...h.z<189
>          3e31 3036 3737 3a20 4a61 6e20 3233 2031        >10677: Jan 23 1
>          303a 3330 3a34 3320 474d 543a 2025 5359        0:30:43 GMT: %SY
>          532d 352d 434f 4e46 4947 5f49 3a20 436f        S-5-CONFIG_I: Co
>          6e66 6967 7572 6564 2066 726f 6d20 636f        nfigured from co
>          6e73 6f6c 6520 6279 2076 7479 3020 2831        nsole by vty0 (1
>          3732 2e31 372e 3132 2e37 3229                  72.17.12.72)
>
>
> Result in this in the log:
>
> Jan 23 10:29:53 %CONS-W-BADPASSWD, incorrect password
> Jan 23 10:30:44 gps-enterprise-cisco-e0 10677: Jan 23 10:30:43 GMT:
> %SYS-5-CONFIG_I: Configured from console by vty0 (172.17.12.72)
>
>
> It looks as if syslog-ng is assuming %CONS-W-BADPASSWD is a
hostname....and the
> Cisco message picks up a hostname via DNS, which
> is NOT included in the packet.
>
>
> I note the version 1.5.25 has a bad_hostname() option. Is it possible that
this
> may be used to alleviate this issue, or is some other workround
> needed? I'm guessing "keep_hostname(no)" might fix it, but would that
> potentially lead to other problems? Is there a summary of the algorithm
> which syslog-ng uses to determine whether the message contains a hostname?
>
>
>
> Current Options settings laid out below.
>
>
> ...............
>
> # Global Options Settings
> options {
>         chain_hostnames(no);
>         keep_hostname (yes);
>         use_dns (yes);
>         use_fqdn (no);
>         long_hostnames (off);
>         dns_cache(yes);
>         dns_cache_size(100);
>         dns_cache_expire(600);
>         dns_cache_expire_failed(120);
>
>         create_dirs (no);
>         dir_owner(root);
>         dir_group(root);
>         dir_perm(0755);
>         owner(root);
>         group(root);
>         perm(0600);
>
>         stats(120);
>
>         sync(10);
>         time_reopen (10);
>         time_reap(20);
>
>         use_time_recvd(no);
>
>         log_fifo_size (1000);
>         log_msg_size (1024);
>
>         gc_idle_threshold(100); ### default 100
>         gc_busy_threshold(3000); ### default 3000
>         };
>
> ...............
>
>
> Thanks,
>
>
> Ted
>
>
>
>
>
>
>
>
>
>
****************************************************************************
********************
> This E-mail message, including any attachments, is intended only for the
person
> or entity to which it is addressed, and may contain confidential
information.
> If you are not the intended recipient, any review, retransmission,
disclosure,
> copying, modification or other use of this E-mail message or attachments
is
> strictly forbidden.
> If you have received this E-mail message in error, please contact the
author and
> delete the message and any attachments from your computer.
> You are also advised that the views and opinions expressed in this E-mail
> message and any attachments are the author's own, and may not reflect the
views
> and opinions of FLEXTECH Television Limited.
>
****************************************************************************
********************
>
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html