[syslog-ng] Invalid frame header; header=''

Wed Oct 14 15:51:12 CEST 2009

I want the new syslog style messages. I'm writing some Java code to  
send messages to syslog and I need the new format. Is there somewhere  
that the transport protocol is described? It will also be over UDP  
too. TCP was just for a little test.

Thanks
-j

On Oct 14, 2009, at 4:09 AM, Balint Kovacs wrote:

> jnordwick wrote:
>> I can't seem to get syslog-ng to recongnize a syslog message. I used
>> the example message you give in the docs, but all it says is   
>> "Invalid
>> frame header".
>>
>>
>>
>> Here is the error message:
>>
>> Oct 13 14:35:55 logger-01 syslog-ng[29653]: Invalid frame header;
>> header=''
>>
>>
>>
>> here is how I'm sending my test message:
>>
>> echo "<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su -  
>> ID47 -
>> BOM'su root' failed for lonvick on /dev/pts/8" | nc logger-01 20514
>>
>>
>>
>> Here is the config:
>>
>> options {
>>     flush_lines(1);
>> };
>>
>> source src {
>>     internal();
>>     syslog(ip("192.168.27.198") port(20514) transport("tcp"));
>> };
>>
>> destination dest { file("/data/local/logs/sys.log" owner(xl) group
>> (xl)); };
>>
>> log { source(src); destination(dest); };
>>
>>
> Hi,
>
> you are trying to receive IETF syslog protocol (syslog() source
> driver) that uses frames rather than newline to separate the  
> individual
> messages.
>
> At the same time the included nc command line sends legacy BSD syslog
> w/o a frame header (essentially the same as sending with the tcp()
> driver), that's why you are receiving this error from syslog-ng.
>
> If you change the source to tcp(), the problem should go away.
>
> Best Regards,
> Balint
>
> -- 
> Balint Kovacs
> Security Engineer
> balint.kovacs at balabit.com
>
> BalaBit IT Security
> Bártfai str. 54.
> H-1115 Budapest
> Phone +36 1 371 0540
> Fax +36 1 208 0875
>
> The content of this message, including any attachments is confidential
> and under legal protection, it may not be published or publicly
> disclosed. The message may be used only by the addressee and those
> authorized by the addressee to do so. If you are not the addressee of
> this message, please notify the sender of the message by phone or
> e-mail, and delete the message and its attachments from your system.  
> If
> you are not the addressee, you are forbidden to copy, save,  
> disclose, or
> abuse the message or any attachments.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

------------------------------------------------------------------------------------------
This message is for the named person(s) use only. It may contain confidential proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Allston Trading LLC and its subsidiaries and affiliates each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
------------------------------------------------------------------------------------------