[syslog-ng] TCP recv bug in syslog-ng v2.09?

Tue Aug 17 20:52:06 CEST 2010

If I recall correctly its because cisco equipment doesnt terminate its 
log entries with newlines, so when sending via TCP, syslog-ng thinks the 
message is going to be continued in another packet (UDP is assumed to be 
1 packet per log entry).
The only way to fix this is an ugly hack to set the timeout so that when 
it doesnt get a reply within a certain time, it assumes the log entry 
ended. but if several log entries are sent within the timeout, then 
they'll all be mashed together into 1 syslog-ng entry.

Sent: Tuesday, August 17, 2010 12:28:28 PM
From: Clayton Dukes <cdukes at gmail.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] TCP recv bug in syslog-ng v2.09?
> Hey guys,
> Are there any known bugs for syslog-ng v2.09  that won't allow a cisco 
> router to send logs over tcp?
> I can see a connection established in syslog-ng.
> I also see the message come in via tcpdump, but nothing in syslog-ng's 
> output.
> If I change the router from tcp to udp, messages come in as expected.
>
> *Router config:*
>
> logging source-interface Loopback0 
> logging 172.18.224.150 <tricon:40,-1%7C172.18.224.150;majoshi at cisco.com> 
> logging host 172.18.224.190 
> <tricon:40,-1%7C172.18.224.190;majoshi at cisco.com> transport tcp
>
>
> *syslog-ng config:*
>
> source s_all {
>         udp();
>         tcp(ip(11.31.130.99) port(8002) max-connections(300));
>         tcp(ip(172.18.224.190) port(601) max-connections(300));
> };
>
>
> *debug output:*
> I commented out the line above for the other interface (11.31.130.99), 
> restarted and this is all I see:
> Syslog connection accepted; from='AF_INET(14.3.23.50 
> <tricon:40,-1%7C%2814.3.23.50;majoshi at cisco.com>:63845)', 
> to='AF_INET(172.18.224.190 
> <tricon:40,-1%7C%28172.18.224.190;majoshi at cisco.com>:601)'
>
>
> *tcpdump:*
>
> 14:13:46.914566 IP (tos 0x0, ttl 251, id 4303, offset 0, flags [none], 
> proto TCP (6), length 134)
>     14.3.23.50.63845 > xxx.com.601: Flags [.], seq 230:324, ack 1, win 
> 4128, length 94
>
>
> *Router debug:*
>
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:19.772 
> <tricon:40,-1%7C.772;majoshi at cisco.com>: %SYS-5- 
> <tricon:40,-1%7C-5-;majoshi at cisco.com>CONFIG_I: Configured from 
> console by pnoc on vty0 (172.18.224.151) 
> <tricon:40,-1%7C0%20%28172.18.224.151%29;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:20.776 
> <tricon:40,-1%7C.776;majoshi at cisco.com>: Released port 15205 
> <tricon:40,-1%7C15205;majoshi at cisco.com> in Transport Port Agent for 
> TCP IP type 1 delay 240000 <tricon:40,-1%7C240000;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:20.776 
> <tricon:40,-1%7C.776;majoshi at cisco.com>: TCB 0x850 
> <tricon:40,-1%7C850;majoshi at cisco.com>F9754 
> <tricon:40,-1%7C9754;majoshi at cisco.com> destroyed 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 created 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 setting property TCP_PID 
> (8) 845083 <tricon:40,-1%7C%288%29%20845083;majoshi at cisco.com>E4
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 setting property 
> TCP_NO_DELAY (1) 845083 
> <tricon:40,-1%7C%281%29%20845083;majoshi at cisco.com>E8
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 setting property TCP 
> keepalive timeout (17) 845084 
> <tricon:40,-1%7C%2817%29%20845084;majoshi at cisco.com>A0 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCP: Random local port 
> generated 63845 <tricon:40,-1%7C63845;majoshi at cisco.com>, network 1 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 bound to 14.3.23.50.63845 
> <tricon:40,-1%7C14.3.23.50.63845;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: Reserved port 63845 
> <tricon:40,-1%7C63845;majoshi at cisco.com> in Transport Port Agent for 
> TCP IP type 1 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCP: sending SYN, seq 
> 3300233565 <tricon:40,-1%7C3300233565;majoshi at cisco.com>, ack 0 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCP0: Connection to 
> 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi at cisco.com>:601, 
> advertising MSS 536 <tricon:40,-1%7C536;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.775 
> <tricon:40,-1%7C.775;majoshi at cisco.com>: TCP0: state was CLOSED -> 
> SYNSENT [63845 - <tricon:40,-1%7C63845%20-;majoshi at cisco.com>> 
> 172.18.224.190(601) 
> <tricon:40,-1%7C172.18.224.190%28601%29;majoshi at cisco.com>] 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.779 
> <tricon:40,-1%7C.779;majoshi at cisco.com>: TCP0: state was SYNSENT -> 
> ESTAB [63845 - <tricon:40,-1%7C63845%20-;majoshi at cisco.com>> 
> 172.18.224.190(601) 
> <tricon:40,-1%7C172.18.224.190%28601%29;majoshi at cisco.com>] 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.779 
> <tricon:40,-1%7C.779;majoshi at cisco.com>: TCP: tcb 83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 connection to 
> 172.18.224.190 <tricon:40,-1%7C172.18.224.190;majoshi at cisco.com>:601, 
> peer MSS 1460 <tricon:40,-1%7C1460;majoshi at cisco.com>, MSS is 536 
> <tricon:40,-1%7C536;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.779 
> <tricon:40,-1%7C.779;majoshi at cisco.com>: TCB83648 
> <tricon:40,-1%7C83648;majoshi at cisco.com>E60 connected to 
> 172.18.224.190.601 <tricon:40,-1%7C172.18.224.190.601;majoshi at cisco.com> 
> *Aug 17 17 <tricon:40,-1%7C17%2017;majoshi at cisco.com>:34:25.779 
> <tricon:40,-1%7C.779;majoshi at cisco.com>: %SYS-6- 
> <tricon:40,-1%7C-6-;majoshi at cisco.com>LOGGINGHOST_STARTSTOP: Logging 
> to host 172.18.224.190 
> <tricon:40,-1%7C172.18.224.190;majoshi at cisco.com> port 601 
> <tricon:40,-1%7C601;majoshi at cisco.com> started - reconnection
>
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100817/ef75ed67/attachment-0001.htm 