[syslog-ng]Problems with Netscreen log entries

Philip Webster syslog-ng@lists.balabit.hu
Thu, 06 Jan 2005 15:58:32 +1000 

Bazsi,

Balazs Scheidler wrote:
> On Mon, 2004-08-09 at 15:20, Paul Mindeman wrote:
> 
>>Running sylog-ng 1.6.4 on Solaris 9
>>
>>Log entries from my UNIX devices log fine.  Log entries from my 
>>Netscreen devices seem to be missing the end of line terminator, as the 
>>entries run together in the log file.  The default syslog daemon was 
>>able to handle these entries fine.  Any ideas on how to fix this?
>>
>>The options in the syslog-ng.conf file are:
>>
>>options { sync (0);
>>           time_reopen (10);
>>           log_fifo_size (1000);
>>           long_hostnames (off);
>>           use_dns (no);
>>           use_fqdn (no);
>>           create_dirs (no);
>>           keep_hostname (yes);
>>         };
> 
> 
> Can you give me an tcpdump snippet to see how a netscreen log message is
> formatted? Please make sure that you snap the complete packet (-s
> option).
> 
> tcpdump -xXpeni ethX  port 514 and udp
> 
> should do the trick.
> 

I'm seeing the same problem as listed above, but did not see a solution 
posted.  I've included a tcpdump listing of a sample packet below.  All 
packets seem to be null terminated, but do not contain a newline.  The sending 
device is a Netscreen ISG2000 and the receiver is syslog-ng 1.6.3 running on 
Red Hat Linux Advanced Server release 2.1AS.

If the logs are sent from the ISG to a FreeBSD host running standard syslog, 
and then forwarded from there to the syslog-ng host, a newline is present in 
the logs on both servers.

Any thoughts?
Phil

11:04:03.044944 IP 10.40.44.3.2148 > 10.224.8.2.syslog: UDP, length 146
         0x0000:  00d0 b7a8 8008 0010 db86 5e80 0800 4500  ..........^...E.
         0x0010:  00ae 07b9 0000 4011 297a 0a28 2c03 0ae0  ......@.)z.(,...
         0x0020:  0802 0864 0202 009a 8108 3c31 3636 3e67  ...d......<166>g
         0x0030:  702d 6564 6765 2d66 773a 204e 6574 5363  p-edge-fw:.NetSc
         0x0040:  7265 656e 2064 6576 6963 655f 6964 3d67  reen.device_id=g
         0x0050:  702d 6564 6765 2d66 7720 205b 526f 6f74  p-edge-fw..[Root
         0x0060:  5d73 7973 7465 6d2d 696e 666f 726d 6174  ]system-informat
         0x0070:  696f 6e2d 3030 3736 373a 204c 6f63 6b20  ion-00767:.Lock.
         0x0080:  636f 6e66 6967 7572 6174 696f 6e20 656e  configuration.en
         0x0090:  6465 6420 6279 2074 6173 6b20 7373 682d  ded.by.task.ssh-
         0x00a0:  636d 643a 3820 2832 3030 352d 3031 2d30  cmd:8.(2005-01-0
         0x00b0:  3420 3131 3a30 343a 3033 2900            4.11:04:03).