[syslog-ng] problem with incorrect separation of syslog messages from Cisco PIX

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Wed, 4 Jun 2003 10:55:21 +0100 

At blooming last....and FYI.

Having now upgraded our PIX to version 6.3, and enabled TCP logging on port
1468... I can see that all messages
( in raw tcpdump trace ) are newline terminated ( note the 0a HEX bytes in the
packet dump )

I can also we see that the 255 byte buffer length problem has been sorted out,
as I can now see these messages in full.
( They used to truncate halfway through the dest_proxy definition... )

Jun  4 10:26:05 littlepix %PIX-7-702303: sa_request, (key eng. msg.) src=
11.11.11.11, dest= 22.22.22.22,
     src_proxy= 11.11.110/255.255.255.0/0/0 (type=4), dest_proxy=
22.22.22.128/255.255.255.192/0/0 (type=4),
     protocol= ESP, transform= esp-3des esp-sha-hmac ,
     lifedur= 1200s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags=
0x4004
Jun  4 10:26:05 littlepix %PIX-7-702303: sa_request, (key eng. msg.) src=
11.11.11.11, dest= 22.22.22.22,
     src_proxy= 11.11.110/255.255.255.0/0/0 (type=4), dest_proxy=
22.22.22.128/255.255.255.192/0/0 (type=4),
     protocol= ESP, transform= esp-3des esp-md5-hmac ,
     lifedur= 1200s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags=
0x4004

The only problem so far is that these messages have appeared ( for some reason
they didn't show up in Version 6.2 log stream but ARE listed
on the syslog message listings for 6.2  ). I shall have to fancify my log
filtering to suppress them....
They all correspond to regular MGMT station SNMP polling and are ignorable but
are gradually filling the log...

Jun  4 10:10:31 littlepix %PIX-7-710002: UDP access permitted from
33.33.33.4/943 to inside:33.33.33.15/snmp
Jun  4 10:11:31 littlepix %PIX-7-710002: UDP access permitted from
33.33.33.4/9903 to inside:33.33.33.15/snmp
Jun  4 10:11:42 littlepix %PIX-7-710002: UDP access permitted from
33.33.33.4/10159 to inside:33.33.33.15/snmp


Whether or not any problems exist using the UDP syslog transport on the PIX
under v6.3, I haven't actually tested,
but I'd be fairly confident they've also been fixed....


All in all v6.3 has fixed up all my outstanding issues with PIX syslogging.


Ted






************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
************************************************************************************************