[syslog-ng] Problems with short messages

Guy Fleegman network.monger at gmail.com
Fri Feb 8 20:11:40 CET 2008 

Hello:
We have a system that sends messages to syslog-ng (Latest version
2.0.8..but this has occurred on all 2.x versions so far)

This is what is happening.... An application has a message that us too
long for syslog.. .so it breaks the message into 2 separate syslog
messages. The first one is a length seen in wireshark of 1066 bytes.

The second packet is either 69 or 70 bytes and it it simply the
leftover characters  0/n/n

The problem is that the filter in my syslog-ng.conf file is not
catching the second smaller messages Instead of going to the file i
direct it to. It goes to the default file (which i do not want)

What is causing this packet to not be processed by my filter? Attached
is a copy of the relevant syslog-ng.conf data as well as the actual
wireshark trace information

Please advise and thanks !
-Chris

syslog-ng.conf file
source all_devices { udp(ip(0.0.0.0) port(514)); };

destination d_catch_all_others{
file("/var/log/syslog-ng-logs/everything_else.1" perm(0644)
template(t_default)); };

destination d_pt_network_device{
file("/var/log/syslog-ng-logs/pt_network_device.1" perm(0644)
template(t_default)); };

filter f_all_devices { not (host(1.2.3.4) or host(2.3.4.5)); };
filter f_pt_network_device{ (host1.2.3.4) or host(2.3.4.5)); };

log { source(all_devices); filter(f_all_devices);
destination(d_catch_all_others); };
log { source(all_devices); filter(f_pt_network_device);
destination(d_pt_network_device); };





here is the wireshark capture

No.     Time            Source                Destination
Protocol Packet length Info
      1 09:14:23.073515 1.2.3.4         9.8.7.6        Syslog   1066
       LOCAL2.ERR: Feb  1 09:14:23 auditd:  Feb  1 14:14:23 2008 GMT
f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0 pgid: 1372
fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON hostname:
perfjupiterb.bwc.state.oh.us +|health
monitor|MON_INFO|MAJOR|SYS|HMONINFO\n=Health Monitor data
follows\n\nuptime_util:\t 32 days\t 5:59\nload_avg:\t
0.10\nmem_percent:\t 6.09\ncpu_percent:\t 0\ntcp_count:\t
19\nudp_count:\t 8\nproxy_info:\t syslogd
\t1\nproxy_info:\t named                \t7\nproxy_info:\t squid
         \t6\nproxy_info:\t ntpd                 \t2\nproxy_info:\t
snmpp                \t2\nproxy_info:\t pudp
\t63\nproxy_info:\t entrelayd            \t3\nproxy_info:\t dnsp
          \t2\nproxy_info:\t tcpgsp:(1425)        \t2\nproxy_info:\t
warder_auth          \t5\nproxy_info:\t sshd
\t2\ntcp_data:\t ESTABLISHED\t13\ntcp_data:\t
TIME_WAIT\t6\ntcp_data:\t FIN_WAIT_1\t0\ntcp_data:\t
FIN_WAIT_2\t0\ntcp_data:\t CLOSE_WAIT\t0\nipf_data:\t TCP
Total\t\t0\nipf_data:\t UDP Total\t\t0\nipf_total:\t

Frame 1 (1066 bytes on wire, 1066 bytes captured)
    Arrival Time: Feb  1, 2008 09:14:23.073515000
    [Time delta from previous packet: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Packet Length: 1066 bytes
    Capture Length: 1066 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:syslog]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_12:b4:4a (00:0f:f8:12:b4:4a), Dst:
CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
    Destination: CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
        Address: CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
    Source: Cisco_12:b4:4a (00:0f:f8:12:b4:4a)
        Address: Cisco_12:b4:4a (00:0f:f8:12:b4:4a)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 1.2.3.4 (1.2.3.4), Dst: 9.8.7.6 (9.8.7.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1052
    Identification: 0xa1db (41435)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: UDP (0x11)
    Header checksum: 0xf7a4 [correct]
        [Good: True]
        [Bad : False]
    Source: 1.2.3.4 (1.2.3.4)
    Destination: 9.8.7.6 (9.8.7.6)
User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514)
    Source port: syslog (514)
    Destination port: syslog (514)
    Length: 1032
    Checksum: 0xf9d3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Syslog message: LOCAL2.ERR: Feb  1 09:14:23 auditd:  Feb  1 14:14:23
2008 GMT  f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0
pgid: 1372 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON
hostname: perfjupiterb.bwc.sta
    1001 0... = Facility: LOCAL2 - reserved for local use (18)
    .... .011 = Level: ERR - error conditions (3)
    Message [truncated]: Feb  1 09:14:23 auditd:  Feb  1 14:14:23 2008
GMT  f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0 pgid:
1372 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON
hostname: perfjupiterb.bwc.state.oh.u

No.     Time            Source                Destination
Protocol Packet length Info
      2 09:14:23.073537 1.2.3.4         9.8.7.6        Syslog   69
       LOCAL2.ERR: Feb  1 09:14:23 0\n\n

Frame 2 (69 bytes on wire, 69 bytes captured)
    Arrival Time: Feb  1, 2008 09:14:23.073537000
    [Time delta from previous packet: 0.000022000 seconds]
    [Time since reference or first frame: 0.000022000 seconds]
    Frame Number: 2
    Packet Length: 69 bytes
    Capture Length: 69 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:syslog]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_12:b4:4a (00:0f:f8:12:b4:4a), Dst:
CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
    Destination: CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
        Address: CompaqHp_41:c6:af (00:0b:cd:41:c6:af)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
    Source: Cisco_12:b4:4a (00:0f:f8:12:b4:4a)
        Address: Cisco_12:b4:4a (00:0f:f8:12:b4:4a)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 1.2.3.4 (1.2.3.4), Dst: 9.8.7.6 (9.8.7.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 55
    Identification: 0xa1dc (41436)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: UDP (0x11)
    Header checksum: 0xfb88 [correct]
        [Good: True]
        [Bad : False]
    Source: 1.2.3.4 (1.2.3.4)
    Destination: 9.8.7.6 (9.8.7.6)
User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514)
    Source port: syslog (514)
    Destination port: syslog (514)
    Length: 35
    Checksum: 0xec1c [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Syslog message: LOCAL2.ERR: Feb  1 09:14:23 0\n\n
    1001 0... = Facility: LOCAL2 - reserved for local use (18)
    .... .011 = Level: ERR - error conditions (3)
    Message: Feb  1 09:14:23 0\n\n

More information about the syslog-ng mailing list