[syslog-ng] Invalid frame header; header=''

[Balint Kovacs]

jnordwick wrote:
> I can't seem to get syslog-ng to recongnize a syslog message. I used  
> the example message you give in the docs, but all it says is  "Invalid  
> frame header".
>
>
>
> Here is the error message:
>
> Oct 13 14:35:55 logger-01 syslog-ng[29653]: Invalid frame header;  
> header=''
>
>
>
> here is how I'm sending my test message:
>
> echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 -  
> BOM'su root' failed for lonvick on /dev/pts/8" | nc logger-01 20514
>
>
>
> Here is the config:
>
> options {
>      flush_lines(1);
> };
>
> source src {
>      internal();
>      syslog(ip("192.168.27.198") port(20514) transport("tcp"));
> };
>
> destination dest { file("/data/local/logs/sys.log" owner(xl) group 
> (xl)); };
>
> log { source(src); destination(dest); };
>
>   
Hi,

you are trying to receive IETF syslog protocol (syslog() source
driver) that uses frames rather than newline to separate the individual
messages. 

At the same time the included nc command line sends legacy BSD syslog
w/o a frame header (essentially the same as sending with the tcp()
driver), that's why you are receiving this error from syslog-ng. 

If you change the source to tcp(), the problem should go away.

Best Regards,
Balint

-- 
Balint Kovacs
Security Engineer
balint.kovacs at balabit.com

BalaBit IT Security
Bártfai str. 54.
H-1115 Budapest
Phone +36 1 371 0540
Fax +36 1 208 0875

The content of this message, including any attachments is confidential
and under legal protection, it may not be published or publicly
disclosed. The message may be used only by the addressee and those
authorized by the addressee to do so. If you are not the addressee of
this message, please notify the sender of the message by phone or
e-mail, and delete the message and its attachments from your system. If
you are not the addressee, you are forbidden to copy, save, disclose, or
abuse the message or any attachments.