[syslog-ng]syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX

email lists syslog-ng@lists.balabit.hu
Sun, 11 May 2003 18:05:41 +1000 

Hi,

We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe
directly to stdin of psql). Since the upgrade, we have also had a
requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a
consequence, we have=20
found numerous syslog entries where the record following the PIX URL log
entry is merged with the URL log entry.

Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 /
gcc-3.2-7 with libol 0.3.9.

Standard syslog to file:

May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301:
lifetime expiring, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D 50, sa_spi=3D
0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac , =
sa_conn_id=3D 1,
(identity) local=3D 10.0.0.1, remote=3D 10.1.1.1, local_proxy=3D =
192<166>May
10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest=3D 10.0.0.1,
sa_prot=3D 50, sa_spi=3D 0xe859748d(3898176653), sa_trans=3D esp-3des
esp-md5-hmac , sa_conn_id=3D 1

The same syslog message SQL formated to file - same template as
program():

BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level,
tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02',
'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02:
%PIX-7-702301: lifetime expiring, (sa) sa_dest=3D 10.0.0.1, sa_prot=3D =
50,
sa_spi=3D 0xe859748d(3898176653), sa_trans=3D esp-3des esp-md5-hmac ,
sa_conn_id=3D 1, (identity) local=3D 10.0.0.1, remote=3D 10.1.1.1,
local_proxy=3D 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA,
(sa) sa_dest=3D 10.0.0.1, sa_prot=3D 50, sa_spi=3D =
0xe859748d(3898176653),
sa_trans=3D esp-3des esp-md5-hmac , sa_conn_id=3D 1'); COMMIT;

TCP logging is used (too many messages lost when using UDP).=20

There are also other instances where syslog messages have been merged
together.

More samples of the above can be supplied if necessary if a direct
e-mail address of a developer is provided - I am reluctant to send such
data to the list. IP addresses containe in the log entries have also
been changed.

TIA,

Darren

syslog-ng.conf that generated the above data:

options { sync (0);
          time_reopen (10);
          log_fifo_size (8192);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          use_time_recvd (yes);
          create_dirs (yes);
          keep_hostname (yes);
          perm (0644);
          owner (root);
          group (root);
          dir_perm (0644);
          dir_owner (root);
          dir_group (root);
        };

source s_tcp { tcp(port(10514) max-connections(64)); };
source s_udp { udp(port(514)); };

destination rawsyslog {=20
        file("/monitor/syslog-ng/data/rawsyslog-$YEAR-$MONTH-$DAY");
};

destination syslog2pgsql {
        file("/monitor/syslog-ng/data/syslog2pgsql-$YEAR-$MONTH-$DAY"
        template("BEGIN; INSERT INTO rawlogs (host, datetime, facility,
priority, level, tag, program, msg) VALUES '$HOST',=20
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$FACILITY', '$PRIORITY', '$LEVEL',
'$TAG', '$PROGRAM', '$MSG'); COMMIT;\n")
        template-escape(yes));
};

log { source(s_udp); destination(syslog2pgsql); };
log { source(s_tcp); destination(syslog2pgsql); };

log { source(s_udp); destination(rawsyslog); };
log { source(s_tcp); destination(rawsyslog); };