[syslog-ng] cisco tcp syslog weirdness/merkwuerdigkeit
Blurry
obsfucate at gmail.com
Wed Aug 22 14:21:24 CEST 2007
Here is a sample, first some nice ones
Jul 25 13:43:04 144.49.126.22/144.49.126.22 GET
Jul 25 13:43:07 144.49.126.22/144.49.126.22 HELLO
Jul 25 13:43:13 144.49.126.22/144.49.126.22 quit
then
Aug 20 09:59:13 tcpgateway at thishost syslog-ng[12107]: Message length
overflow, line is split, log_msg_size=8192
Aug 20 10:27:53 router01/router01 ernet1/0<191>11463: Aug 20
10:25:52.617 EDT: OSPF: rcv. v:2 t:1 l:48
rid:144.63.255.232<191>11464: aid:144.1.0.0 chk:0 aut:2 keyid:1
seq:0xC64274 from FastEthernet1/0<191>11465: Aug 20 10:26:02.617 EDT:
OSPF: rcv. v:2 t:1 l:48 rid:144.63.255.232<191>11466: aid:
144.1.0.0 chk:0 aut:2 keyid:1 seq:0xC64276 from
FastEthernet1/0<191>11467: Aug 20 10:26:12.625 EDT: OSPF: rcv. v:2 t:1
l:48 rid:144.63.255.232<191>11468: aid:144.1.0.0 chk:0 aut:2
keyid:1 seq:0xC64278 from FastEthernet1/0<191>11469: Aug 20
10:26:22.625 EDT: OSPF: rcv. v:2 t:1 l:48
rid:144.63.255.232<191>11470: aid:14.1.0.0 chk:0 aut:2
keyid:1 seq:0xC6427A from
and continues on for a very long time on one line and then cuts off.
There doesn't seem to be a field sep that I can tell in the file. I
will try a tcpdump also.
Thanks
On 8/22/07, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Mon, 2007-08-20 at 17:12 -0400, Blurry wrote:
> > When a certain cisco router is set to UPD syslog delivery it creates a
> > unique message for each unique message, duh ! But when this same
> > router is set to TCP syslog, it takes all messages and tacks them back
> > to back until syslog-ng runs out of buffer space in one line. I kept
> > increasing the message log size, but the real problem is that the
> > messages would have to be parsed out of this massive long line. My
> > router guy says he can't make the cisco router behave any differently.
> > How do I handle this problem ? Ideas ?
>
> Is there any kind of line separator? Can you post a tcpdump or something
> similar that shows what is sent by the router?
>
> Thanks.
>
> --
> Bazsi
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list