[syslog-ng] Using syslog-ng as a relay inject unexpected data

Balazs Scheidler bazsi at balabit.hu
Fri Dec 21 10:05:38 CET 2007


On Thu, 2007-12-20 at 14:05 -0700, Allen Bettilyon wrote:
> Thanks for the replies.
> 
> To address a few of the questions:
> 
> 1) the receiving end is a splunk instance
> 2) I have verified the existence of the <number> with tcpdump, so its not
> the receiving end injecting the value.
> 3) The logs been written locally by syslog-ng do NOT have the number
> injected
> 4) The template didn't seem to fix the problem
> 5) This also happens when using the program() destination
> 
> Bellow are some details regarding the 2 tests I've ran.  The numbers do
> change but not very quickly.  I haven't been able to tell if they increment
> or decrement or are just random.
> 
> Quite perplexing.  I think my next steps will be to recreate this issue on a
> totally separate node and installation of syslog-ng.
> 
> 
> -Allen
> 
> 
> 
> 
> ----- details regarding the upd forwarder-------------
> Bellow is the destination clause in its entirety with addresses changed to
> protect the innocent.
> I've tried it with and without the NGTOKEN literal just to prove to myself
> that the number was not part of any of the macros.
> 
> destination forwardHost {
>         tcp("1.1.1.1" port(1) template("NGTOKEN $ISODATE $FACILITY $LEVEL
> $MSG\n"));
> };
> 
> Just to sanity check this again, I setup a filter to match local1 traffic
> and forward it while doing a packet capture from the syslog host using
> tcpdump in ASCII mode:
> 
> 13:48:16.736077 IP syslogngHost.47468 > 1.1.1.1.1: P
> 3847271716:3847271778(62) ack 4053481885 win 5840 <nop,nop,timestamp
> 11894280 1181945548>
> E..r4+ at .@..)
> .

Here's a snippet of the NEWS file of syslog-ng 1.6.x:

News for the 1.6.3 release
        Thu, 06 May 2004 11:05:46 +0200

	...
        * fixed afunix and afinet destination template handling, do not include
          the PRI value automatically, let the administrator do it
          explicitly in its template

I think you are bitten by this problem which was fixed in 1.6.3, as you wrote, you 
are using 1.6.2, but if you need to update anyway, I'd recomment to update directly 
to 2.0.6, the 1.6.x branch is not maintained anymore.

-- 
Bazsi



More information about the syslog-ng mailing list