[syslog-ng]syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX

Balazs Scheidler syslog-ng@lists.balabit.hu
Sun, 11 May 2003 11:47:11 +0200 

On Sun, May 11, 2003 at 06:05:41PM +1000, email lists wrote:
> Hi,
> 
> We have upgraded to 1.6.0 RC3 for program() template support (ie - pipe
> directly to stdin of psql). Since the upgrade, we have also had a
> requirement to enable PIX URL logging and IPSec ISAKMP SA logging. As a
> consequence, we have 
> found numerous syslog entries where the record following the PIX URL log
> entry is merged with the URL log entry.
> 
> Target system - redhat 8.0 / kernel-2.4.18-26.8.0 / glibc-2.2.93-5 /
> gcc-3.2-7 with libol 0.3.9.
> 
> Standard syslog to file:
> 
> May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301:
> lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi=
> 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1,
> (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May
> 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1,
> sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des
> esp-md5-hmac , sa_conn_id= 1
> 
> The same syslog message SQL formated to file - same template as
> program():
> 
> BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level,
> tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02',
> 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02:
> %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50,
> sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac ,
> sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1,
> local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA,
> (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653),
> sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT;
> 
> TCP logging is used (too many messages lost when using UDP). 

Can you send me a tcpdump of the syslog traffic which shows this behaviour?
Aternatively you can also send me an strace snippet, provided you increase
the number of characters shown in strings (so that all details can be seen).

> 
> There are also other instances where syslog messages have been merged
> together.
> 
> More samples of the above can be supplied if necessary if a direct
> e-mail address of a developer is provided - I am reluctant to send such
> data to the list. IP addresses containe in the log entries have also
> been changed.

You can send me the dumps in privately in direct mail.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1